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Abstract 


Verification  methodologies  for  real-time  systems  can  be  classified  according  to  whether  they  are 
based  on  a  continuous  time  model  or  a  discrete  time  model.  Continuous  time  often  provides  a 
more  accurate  model  of  physical  reality,  w’hile  discrete  time  can  be  more  efficient  to  implement 
in  an  automatic  verifier  based  on  state  exploration  techniques.  Choosing  a  model  appears  to 
require  a  compromise  between  efficiency  and  accuracy. 

We  avoid  this  compromise  by  constructing  discrete  time  models  that  are  conservative  ap¬ 
proximations  of  appropriate  continuous  time  models.  Thus,  if  a  system  is  verified  to  be  correct 
in  discrete  time,  then  it  is  guaranteed  to  also  be  -correct  in  continuous  time.  W’e  also  show 
that  models  with  explicit  simultaneity  can  be  conservatively  approximated  by  models  with 
interleaving  semantics. 

Proving  these  results  requires  constructing  several  different  domains  of  agent  models.  We 
have  devised  a  new  method  for  simplifying  this  task,  based  on  abstract  algebras  we  call  trace 
algebra  and  trace  structure  algebra.  A  trace  algebra  has  a  set  of  traces  as  its  carrier,  along  with 
operations  of  projection  and  renaming  on  traces.  A  trace  can  be  any  mathematical  object  that 
satisfies  certain  simple  axioms,  so  the  theory  is  quite  general.  A  trace  structure  consists,  in  part, 
of  a  subset  of  the  set  of  traces  from  some  trace  algebra.  In  a  trace  structure  algebra,  operations 
of  parallel  composition,  projection  and  renaming  are  defined  on  trace  structures,  in  terms  of 
the  operations  on  traces.  General  methods  for  constructing  conservative  approximations  are 
described  and  are  applied  to  several  specific  real-time  models.  We  believe  that  trace  algebra  is 
a  powerful  tool  for  unifying  many  models  of  concurrency  and  abstraction  beyond  the  particular 
ones  described  in  this  thesis. 

We  also  describe  an  automatic  verifier  based  on  the  theory,  and  give  examples  of  using  it  to 
verify  speed-dependent  asynchronous  circuits.  We  analyze  how  several  different  delay  models, 
including  a  new  model  called  chaos  delay,  affect  the  verification  results.  The  circuits  and  their 
specifications  are  represented  in  aiscrete  time,  but  because  of  our  conservative  approximations, 
circuits  that  are  verified  correct  are  also  correct  in  continuous  time. 
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Chapter  1 
Introduction 


Modeling  and  verifying  concurrent  systems  has  grown  into  an  important  field  of  computer 
science.  Several  different  categories  of  concurrent  systems  have  been  studied,  including  parallel 
programs,  communication  protocols  and  circuits.  Over  the  last  several  years  there  has  been 
increasing  interest  in  modeling  and  verifying  real-time  systems.  For  our  purposes,  a  real¬ 
time  system  is  any  system  that,  to  be  formally  verified  to  satisfy  its  specification,  must  be 
modeled  with  explicit  reference  to  quantitative  time.  Thus,  if  a  systenr  .  specification  is 
timed  (constrains  the  time  between  events  rather  than  just  their  order),  then  it  is  a  real-time 
system.  Another  case  is  if  the  specification  is  untimed,  but  the  correct  operation  of  the  system 
depends  on  timing  assumptions  about  its  components  (such  as  an  asynchronous  circuit  that 
is  not  speed-independent). 

There  are  a  large  number  of  different  real-time  models  in  the  literature.  They  can  be 
classified  according  to  whether  they  are  continuous  time  models  or  discrete  time  models.  Con¬ 
tinuous  time  often  provides  a  more  accurate  model  of  physical  reality,  while  discrete  time  can 
be  more  efficient  to  implement  in  an  automatic  verifier  based  on  state  exploration  techniques. 
Choosing  a  model  appears  to  require  a  compromise  between  efficiency  and  accuracy. 

We  show  how  to  avoid  this  compromise  by  taking  advantage  of  the  relationships  between 
several  different  real-time  models.  AH  of  the  models  we  use  are  based  on  trace  structures, 
which  consist  of  sets  of  input  and  output  events,  and  a  set  of  traces.  Each  trace  represents  a 
possible  behavior  of  the  agent  modeled  by  the  trace  structure. 

There  are  many  different  kinds  of  traces,  each  is  a  different  abstraction  of  physical  be¬ 
haviors.  For  example,  with  speed-independent  interleaving  semantics,  traces  are  strings  (from 
some  formal  language)  that  abstract  time  to  be  just  a  total  order  on  events.  Partial  order  based 
methods  provide  a  different  abstraction  for  behaviors  by  replacing  total  orders  on  events  with 
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partial  orders.  In  real-time  models,  traces  include  quantitative  information  about  the  time  at 
which  events  occur. 

We  want  to  be  able  to  use  all  of  the  above  kinds  of  traces,  as  well  as  many  other  kinds, 
when  modeling  agents.  Thus,  the  kind  of  trace  that  is  used  is  a  parameter  in  our  method. 
Any  mathematical  object  that  satisfies  certain  minimum  requirements  can  be  used  as  a  trace. 
These  requirements  are  formalized  as  the  axioms  of  trace  algebra.  A  trace  algebra  has  a  set  of 
traces  as  its  domain,  and  defines  the  operations  of  projection  and  renaming  (and  sometimes 
concatenation)  on  traces. 

We  define  several  operations  on  trace  structures,  including  parallel  composition,  projection 
and  renaming.  Consider  the  operation  of  parallel  composition.  For  aU  of  the  different  models 
we  consider,  this  operation  on  trace  structures  has  exactly  the  same  definition,  which  is  given 
in  terms  of  the  projection  operation  on  traces.  The  operations  of  projection  and  renaming 
on  trace  structures  are  also  defined  the  same  way  for  all  of  our  models.  These  operations 
on  trace  structures  form  a.  trace  structure  algebra.  Thus,  to  construct  a  new  trace  structure 
algebra  (which  provides  a  domain  of  agent  models),  we  need  only  define  a  new  trace  algebra 
(which  is  a  domain  of  models  for  individual  behaviors).  Many  of  the  basic  properties  of  the 
operations  on  trace  structures  follow  from  the  axioms  of  trace  algebra,  so  they  hold  for  any 
trace  structure  algebra. 

Trace  structures  represent  both  implementations  and  specifications.  An  implementation 
(represented  by  a  trace  structure  T)  satisfies  a  specification  (represented  by  T')  if  and  only  if 
the  set  of  possible  traces  of  T  is  contained  in  the  set  of  possible  traces  of  T'.  Intuitively,  the 
specification  gives  a  set  of  legal  behaviors;  if  all  of  the  behaviors  of  the  implementation  are 
legal,  then  the  implementation  satisfies  the  specification.  This  particular  criteria  for  satisfying 
a  specification  is  called  trace  set  containment.  Since  traces  can  be  strings  in  a  formal  language, 
trace  set  containment  is  a  generalization  of  the  standard  notion  of  language  containment. 

The  verification  methods  we  propose  involve  using  two  different  models.  For  example,  we 
might  use  a  continuous  time  model  and  a  discrete  time  model.  As  noted  above,  to  construct 
these  models  (and  the  corresponding  trace  structure  algebras)  it  is  only  necessary  to  construct 
two  trace  algebras.  The  continuous  time  model  is  the  more  physicahy  accurate  model;  if  a 
design  satisfies  its  specification  in  continuous  time,  then  we  can  be  confident  that  the  design 
win  work  properly  when  implemented.  Thus,  a  continuous  time  model  is  used  when  providing 
a  specification  and  an  implementation  to  be  verified.  The  specification  is  given  as  a  continuous 
time  trace  structure  and  the  implementation  is  given  as  the  parallel  composition  of  one  or  more 
continuous  time  trace  structures  (perhaps  with  some  internal  signals  hidden).  Each  of  these 
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continuous  time  trace  structures  is  abstracted  to  form  a  discrete  time  trace  structure.  The 
resulting  discrete  time  specification  and  implementation  are  input  to  an  automatic  verifier  that 
is  based  on  a  discrete  time  model.  The  output  of  the  verifier  {i.e.,  whether  the  implementation 
satisfies  the  specification  in  discrete  time)  indicates  whether  the  implementation  satisfies  the 
specification  in  continuous  time. 

There  are  four  cases  to  consider  depending  on  whether  or  not  the  implementation  satisfies 
its  specification  in  discrete  time  or  in  continuous  time.  If  the  implementation  is  correct  in  both 
cases,  or  is  not  correct  in  both  cases,  then  the  discrete  time  verification  accurately  indicates 
whether  the  implementation  is  correct  in  continuous  time.  A  false  positive  is  the  case  where 
the  implementation  is  correct  in  discrete  time  but  not  in  continuous  time;  the  automatic 
verifier  inaccurately  indicates  that  the  implementation  is  correct.  The  method  used  to  abstract 
continuous  time  trace  structures  into  discrete  time  trace  structures  must  insure  that  false 
positives  never  occur;  this  is  the  primary  constraint  to  consider  when  abstracting  continuous 
time  trace  structures.  A  false  negative  is  the  case  where  the  implementation  is  correct  in 
continuous  time  but  not  in  discrete  time;  the  automatic  verifier  inaccurately  indicates  that 
the  implementation  is  incorrect.  False  negatives  are  undesirable,  but  not  nearly  as  dangerous 
as  false  positives.  The  possibility  of  a  false  negative  is  the  price  one  must  pay  for  using  a 
powerful  abstraction  technique. 

It  is  not  possible,  in  general,  to  use  a  discrete  time  trace  structure  to  exactly  represent 
the  set  of  behaviors  modeled  by  a  continuous  time  trace  structure;  behaviors  must  be  either 
added  or  removed,  or  both.  If  behaviors  are  added  when  abstracting  a  specification,  then  a 
false  positive  might  result.  To  see  this,  considei  the  case  where  one  of  the  added  behaviors  is 
a  possible  behavior  of  the  implementation;  then  the  implementation  satisfies  the  specification 
in  discrete  time  but  not  in  continuous  time.  Thus,  we  want  the  discrete  time  abstraction  of  a 
continuous  time  specification  to  be  a  lower  bound  (under  the  set  containment  ordering)  of  the 
set  of  behaviors  of  the  specification.  False  positives  are  avoided  regardless  of  the  tightness  or 
looseness  of  the  lower  bound;  however,  a  looser  bound  makes  false  negatives  more  likely. 

The  situation  is  different  when  abstracting  components  of  an  implementation.  Here  a  false 
positive  might  result  if  behaviors  are  removed  when  abstracting.  To  see  this,  consider  the  case 
where  one  of  the  removed  behaviors  is  not  a  possible  behavior  of  the  specification;  then  the 
implementation  satisfies  the  specification  in  discrete  time  but  not  in  continuous  time.  Thus, 
we  want  the  abstraction  of  a  component  of  an  implementation  to  be  a  upper  bound  of  the  set 
of  behaviors  of  the  component.  Again,  a  looser  bound  makes  false  negatives  more  likely. 

We  formalize  these  ideas  with  conservative  approximations.  When  abstracting  continuous 
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time  with  discrete  time,  an  appropriate  conservative  approximation  $  consists  of  a  pair  of 
mappings  from  continuous  time  trace  structures  to  discrete  time  trace  structures:  a  lower 
bound  mapping  and  an  upper  bound  mapping  Suppose  the  implementation  satisfies 
its  specification  when  verified  using  the  discrete  time  trace  structures  that  result  from  applying 
’f/  to  the  specification  and  to  the  components  of  the  implementation.  By  the  definition  of 
a  conservative  approximation,  the  implementation  also  satisfies  its  specification  in  continuous 
time.  This  insures  that  no  false  p  itives  are  possible. 

A  conservative  approximation  etween  t\'‘o  <.  ace  structure  algebras  can  often  be  induced 
by  certain  relationships  between  the  underlying  trace  algebras.  For  example,  if  there  is  a 
homomorphism  between  two  trace  algebras  (in  the  universal  algebra  sense  of  homomorphism), 
then  this  induces  a  conservative  approximation  between  trace  structure  algebras  constructed 
from  the  trace  algebras.  Also,  if  a  trace  in  one  trace  algebra  is  a  set  of  traces  from  another  trace 
algebra,  then  this  induces  a  conservative  approximation  from  trace  structures  over  the  first 
trace  algebra  to  trace  structures  over  the  second.  Conservative  approximations  from  models 
with  exp’licit  simultaneity  to  models  with  interleavirg  semantics  can  be  constructed  in  this 
manner,  a  trace  with  explicit  simultaneity  is  represented  by  its  set  of  interleavings,  which  is  a 
set  of  interleaved  traces. 

The  theoretical  vrork  described  above  was  motivated  by  more  practical  issues  concerning 
the  verification  of  speed-dependent  asynchronous  circuits.  We  have  developed  a  verifier  for 
verifying  such  circuits  that  uses  a  discrete  time  model;  it  is  a  significant  extension  of  the  trace 
theory  verifier  developed  by  DiU  [38,  39].  In  chapter  5,  we  describe  how  to  use  the  verifier  to 
analyze  two  circuits.  We  also  study  the  effects  of  using  several  different  delay  models  in  the 
verification,  including  inertial  delay  and  a  new  model  called  chaos  delay.  We  show  that  using 
inertial  delay  can  lead  to  false  positive  verification  results,  and  that  chaos  delay  can  avoid  this 
problem  without  being  overly  conservative. 

1.1  Major  Results 

The  major  results  of  this  thesis  are  listed  below. 

•  Trace  algebra  and  trace  structure  algebra,  which  are  powerful  tools  for  constructing  do¬ 
mains  of  agents  models. 

•  Formalizing  the  concept  of  a  conservative  approximation  from  one  trace  structure  algebra 
to  another,  and  proving  general  theorems  for  constructing  conservative  approximations 
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based  on  relationships  between  trace  algebras. 

•  Particular  conservative  approximations  from  continuous  time  models  to  discrete  time 
models  and  from  explicit  simultanei,  semantics  to  interleaving  semantics. 

•  Formalizing  the  con  'ept  of  the  inverse  of  a  conservative  approximation,  and  character¬ 
izing  the  inverse  of  a  broad  class  of  conservative  approximations. 

•  An  automatic  verifier  that,  using  conservative  approximations,  combines  the  efficiency 
of  discrete  time  models  and  the  accuracy  of  continuous  time  models. 

•  Using  the  verifier  on  speed-dependent  asynchronous  circuits  with  several  new  delay  mod¬ 
els. 

1.2  Motivating  Example 

In  this  section  we  give  a  concrete  example  of  how  using  a  discrete  time  model  can  lead  to  a  false 
positive  verification  result.  We  do  this  by  informally  analyzing  a  circuit  due  to  Brzozowski  and 
Seger  [13,  14].  A  more  formal  analysis  will  be  given  in  chapter  3.  For  this  circuit,  gates  are 
modeled  according  to  the  inertial  delay  model.  To  illustrate  the  inertial  delay  model,  consider 
a  gate  with  a  minimum  and  maximum  delay  of  one.  If  the  gate  becomes  firable  at  time  t,  and 
remains  firable  for  one  time  unit,  then  it  will  fire  at  time  t  1.  If  the  gate  is  only  firable  for 
periods  of  time  less  than  one  unit  long,  then  it  will  not  fire. 

The  example  circuit  is  given  in  Figure  1.1.  The  buffers  have  arbitrary  delay  [i.e.,  minimum 
delay  of  zero  and  unbounded  maximum  delay);  the  remaining  gates  have  both  their  minimum 
and  maximum  delays  equal  to  one.  Initially  all  wires  are  low.  Assume  there  is  single  transition 
on  input  w  that  occurs  at  time  0.  Can  this  lead  to  a  transition  on  output  z? 

First,  consider  a  synchronous  time  model.  In  chapter  3,  we  give  a  taxonomy  of  real¬ 
time  models,  including  synchronous  time  models  {which  are  a  particular  kind  of  discrete  time 
model);  for  now  it  is  adequate  to  characterize  synchronous  time  models  by  assuming  that 
events  can  only  occur  at  times  0,  1,  2,  etc.  We  can  argue  that  z  cannot  transition  in  a 
synchronous  time  model.  Assume  z  transitions  at  time  t.  This  implies  that  at  time  <  -  1  we 
must  have  1/1  =  0,  j/2  =  l,  j/3  —  0.  These  constraiiits  on  yl  and  i/3  imply  that  a:l  =  a:2  and 
x2  =  a:3  at  time  t  —  2.  But  having  a:l  =  x3  at  time  t  —  2  contradicts  the  fact  that  i/2  =  1  at 
time  t  —  1.  Thus,  there  can  be  no  z  transition. 
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Figure  1.1:  Circuit  for  demonstrating  that  discrete  time  models  can  lead  to  false  positive 
verification  results. 

A  z  transition  can  occur  in  the  continuous  time  model,  however.  Consider  the  behavior 
given  by 

{(rn,0),  (x3,1.3),  (u;2,1.9),  (1/2, 2.3),  (xl,2.5),  (2, 3.3)}. 

The  behavior  is  represented  by  a  set  of  events;  each  event  is  an  ordered  pair  designating  an 
action  and  the  time  at  which  the  action  occurred.  The  order  in  which  events  occurred  can  be 
derived  from  the  time  stamps.  Notice  that  the  times  between  the  xl  and  x2  transitions  and 
between  the  x2  and  2:3  transitions  are  less  than  one  (so  yl  and  yZ  do  not  transition),  and  the 
time  between  the  tI  and  i3  transitions  is  greater  than  one  (leading  to  transitions  of  y2  and 
z).  This  is  not  possible  ui  the  synchronous  time  model  we  described  above.  .As  a  result,  the 
circuit  can  reach  a  state  (where  2  =  1)  in  the  continuous  time  model  that  is  not  reachable  in 
the  synchronous  time  model.  This  can  lead  to  false  positive  verification  results. 

The  example  does  not  show  that  it  is  impossible  to  reliably  avoid  false  positives  when 
using  a  synchronous  model  for  verification;  it  merely  shows  that  false  positives  are  possible 
if  one  is  not  careful  about  how  gates  are  modeled  in  synchronous  time.  In  fact,  in  chapter  3 
we  construct  a  conservative  approximation  from  continuous  time  models  to  synchronous  time 
models.  When  this  conservative  approximation  is  used  to  construct  synchronous  time  models 
of  gates  (like  the  gates  used  in  figure  1.1)  from  the  corresponding  continuous  time  models,  then 
false  positives  (relative  to  the  continuous  time  models,  see  below)  are  provably  impossible.  This 
results  from  the  conservative  approximation  including  extra  behaviors  in  the  synchronous  time 
gate  models,  behaviors  that  were  not  included  in  the  informal  synchronous  time  model  we  used 
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to  (incorrectly)  argue  that  a  z  transition  is  not  possible  in  figure  1.1. 

Even  when  conservative  approximations  are  used,  there  is  another  source  of  false  positives 
that  must  be  considered.  Recall  that  using  a  conservative  approximation  from  continuous  time 
to  discrete  time  (for  examph  )  guarantees  that  if  an  implementation  satisfies  its  specification 
in  synchronous  time,  then  it  also  satisfies  its  specification  in  continuous  time.  In  this  case, 
because  of  the  conservative  approximation,  we  say  that  false  positives  are  impossible  relative 
to  the  continuous  time  model.  However,  it  may  stiU  be  possible  to  have  a  false  positive  relative 
to  the  physical  implementation;  that  is,  the  implementation  may  satisfy  its  specification  in  the 
continuous  time  model,  but  still  not  work  correctly  when  actually  built.  This  may  be  caused 
either  by  errors  in  the  formal  specification  or  by  errors  in  the  continuous  time  models  of  the 
components  of  the  implementation. 

The  possibility  of  errors  in  formal  specifications  is  a  very  important  problem  that  has 
received  a  lot  of  attention.  In  this  thesis,  however,  we  consider  the  simpler  (but  still  surprisinglv 
subtle)  problem  of  avoiding  errors  in  models  of  components.  In  chapter  5,  we  show  that  using 
inertial  delay  gates  (like  the  ones  we  used  to  analyze  figure  1.1)  can  lead  to  a  false  positive 
relative  to  a  physical  implementation.  Other  gate  models,  such  as  chaos  delay  (section  5.5), 
avoid  these  false  positives,  while  reducing  the  chances  of  a  false  negative. 


1.3  Related  Work 

Methodologies  for  formal  verification  provide  formal  semantics  for  agents  and  specifications, 
and  means  for  describing  agents  and  specifications  in  a  convenient  language  and/or  with 
data  structures.  They  also  provide  ways  of  determining  whether  an  implementation  satisfies  a 
specification,  and  to  make  this  task  easier,  they  often  provide  ab  -traction  techniques.  Isolating 
each  of  these  properties  of  a  verification  methodology  provides  a  natural  wav  of  organizing  our 
description  of  related  work. 

1.3.1  Agent  semantics 

One  of  the  most  important  distinguishing  features  of  a  verification  methodology  is  the  se¬ 
mantics  used  for  agents.  The  most  common  semantics  for  untimed  agents  are  state-transition 
systems  (with  either  labeled  states  or  labeled  transitions),  sets  of  sequences  of  states,  and  sets 
of  sequences  of  events  (or  sets  of  events). 

An  early  use  of  the  term  trace  in  a  formal  model  of  concurrency  was  in  Hoare’s  trace 
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semantics  for  CSP  [48,  49].  Here  a  possible  behavior  of  an  agent  (a  process,  in  this  case) 
is  represented  by  a  trace,  which  is  a  finite  sequence  of  communication  actions.  An  agent  is 
then  modeled  by  a  prefix-closed  set  of  traces.  To  better  model  deadlock  and  divergence,  this 
model  was  extended  to  include  failures  and  divergences  [7,  8,  88i.  Reed  et  al.  have  developed 
a  hierarchy  of  real-time  extensions  to  these  models  [84,  86].  A  timed  trace  is  a  sequence  of 
timed  communications  (t.a),  where  a  is  a  communication  action  and  t  is  a  real  valued  time 
stamp.  Failures  are  also  extended  with  timing  information.  Timed  stability  values  have  a  role 
similar  to  divergences  in  untimed  CSP. 

Rem  et  al.  have  used  traces  to  denote  sequences  of  voltage  transitions  in  asvnchronous 
circuits,  rather  than  sequences  of  communication  actions  f87].  Dill  extended  this  model  to 
implement  an  automatic  verifier  for  speed-independent  asynchronous  circuits  ^38.  39  .  Circiits 
were  described  by  two  sets  of  traces,  a  success  set  and  a  failure  set  (this  notion  of  failure  is 
not  related  to  failures  in  CSP  semantics),  which  represent  requirements  on  the  environment  as 
well  as  on  the  circuit  itself.  Dill  also  formalized  the  notion  that  a  model  of  a  circuit  is  receptive 
iff  it  can  never  block  any  of  its  inputs.  Although  it  was  never  implemented,  Dill  extended  his 
model  to  include  infinite  traces  for  representing  liveness  properties  [6,  38,  40]. 

Modeling  behaviors  with  sequences  of  actions,  as  above,  is  known  as  interleaving  seman¬ 
tics.  The  possibility  of  two  actions  occurring  simultaneously  is  not  explicitly  represented  in 
interleaving  semantics.  Thus,  interleaving  semantics  is  potentially  less  accurate  then  semantics 
with  explicit  simultaneity.  Note  that  there  is  another  notion  of  interleaving  that  is  sometimes 
used  in  real-time  software  analysis;  only  one  process  is  allowed  to  be  running  at  a  time.  This 
contrasts  with  maximal  parallelism  models,  where  it  is  assumed  that  each  process  has  its  own 
processor.  All  of  the  models  we  use  in  this  thesis  are  analogous  to  maximal  parallelism,  even 
though  we  sometimes  use  interleaving  semantics. 

Concurrency  can  be  represented  more  explicitly  by  using  sequences  of  sets  of  actions:  a 
non-singleton  set  represents  two  or  more  events  occurring  simultaneously.  This  is  a  convenient 
semantics  for  synchronous  systems.  It  is  also  a  simple  discrete  time  model  that  can  be  used 
for  analyzing  real-time  systems  [5].  Untimed  asynchronous  agents  can  be  modeled  bv  using 
sequences  of  non-empty  sets  of  actions.  Sequences  of  states  can  also  be  used  to  provide  a 
similarly  expressive  model  of  concurrency.  Here  untimed  systems  are  modeled  using  stutter 
free  sequences  or  stuttering  closed  sets  of  sequences.  Other  models  of  concurrency  include 
Mazurkiewicz  traces  [74]  and  partially -ordered  multisets  [83]. 

Models  based  on  sequences  of  actions  and  sequences  of  states  can  be  extended  to  real-time 
models  in  many  different  ways.  Alur  and  Henzinger  provide  a  good  survey  of  these  extensions. 
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as  well  as  other  real-time  modeling  issues  [4]. 

There  is  a  common  feature  of  the  models  we  have  described  so  far  in  this  section:  agents 
are  modeled  by  sets  of  elements,  and  each  element  represents  a  possible  behavior  of  the  agent. 
Any  model  with  this  feature  can  be  handled  using  our  notions  of  trace  algebra  and  trace 
structure  algebra,  as  long  as  the  axioms  of  trace  algebra  (which  are  quite  weak)  are  satisfied. 
The  elements  that  represent  behaviors,  which  we  call  traces  (using  the  term  quite  broadly), 
become  the  carrier  of  an  appropriate  trace  algebra.  A  trace  structure,  which  represents  an 
agent,  contains  a  set  of  such  traces.  These  trace  structures  form  the  carrier  of  a  trace  struc¬ 
ture  algebra,  which  has  operations  of  parallel  composition,  projection  and  renaming  on  trace 
structu'  ( 

A  long  term  goal  of  our  research  with  trace  algebra  is  to  encode  a  large  number  of  the 
existing  models  of  concurrency  as  trace  algebras  and  trace  structure  algebras.  We  believe  that 
trace  algebra  can  provide  a  kind  of  unifying  theory,  highlighting  the  important  differences  and 
similarities  between  these  models.  This  thesis  takes  a  first  step  in  this  direction  by  constructing 
conservative  approximations  between  several  real-time  models. 

Even  though  trace  algebra  is  quite  general,  it  cannot  be  used  to  adequately  model  branching 
time  properties.  In  this  situation,  an  agent  is  typically  modeled  with  some  sort  of  labeled 
transition  system.  If  the  states  of  the  transition  system  are  labeled,  then  it  is  called  a  Kripke 
structure  [35];  if  the  edges  (transitions)  are  labeled,  it  is  called  a  synchronization  tree  [76]. 
Determining  what  features  of  trace  structure  algebras  and  conservative  approximations  can 
be  extended  to  branching  time  semantics  is  an  interesting  research  question,  but  it  is  beyond 
the  scope  of  this  thesis. 

1.3.2  Describing  Agents 

After  the  semantics  of  agents  are  determined,  it  is  stiU  necessary  to  represent  agents  in  hu¬ 
man  readable  form  (with  a  description  langur  ;e)  and/or  in  machine  readable  form  (with  an 
appropriate  data  structure).  As  a  simple  example,  assume  an  agent  is  modeled  by  a  set  of 
sequences  of  some  sort.  The  set  of  sequences  can  be  viewed  as  a  formal  language.  If  agents 
are  finite  state,  then  data  structures  based  on  finite  automata  or  w-automata  can  be  used  to 
represent  agents.  The  verifier  [16,  17]  we  use  in  chapter  5  uses  automata  to  represent  trace 
structures  that  consist  of  prefix-closed  sets  of  finite  sequences. 

Input-output  automata  are  a  slight  extension  of  conventional  automata  for  representing 
finite  and  infinite  sequences  of  actions  [69].  They  have  been  further  extended  to  represent 
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timed  behaviors  using  a  continuous  time  model  [68,  94].  Input-output  automata  are  used  in 
verification  methods  based  on  refinement  mappings  (see  section  1.3.3).  Verification  based  on 
language  containment  algorithms  can  be  done  with  the  timed  automata  of  Alur  and  Dill  [2,  41] 
and  Lewis  [64].  All  of  these  techniques  use  the  same  underljdng  model  of  continuous  time 
behaviors  as  is  provided  by  the  trace  algebra  (see  section  3.2);  they  just  provide  different 
ways  of  expressing  agents.  The  verification  methods  we  propose  (see  section  5.2)  do  not  require 
directl)'  representing  continuous  time  agents;  instead,  we  construct  discrete  time  agents  that 
are  conservative  approximations  of  the  intended  continuous  time  semantics. 

.4  transition  system  can  be  used  as  branching  time  semantics  (as  above),  or  as  a  represen¬ 
tation  of  linear  time  semantics  if  only  its  set  of  execution  sequences  are  considered.  Real-time 
extensions  of  transition  systems  include  both  continuous  time  '46]  and  discrete  time  '45.  81,  82i. 

Process  algebras  have  also  been  used  as  the  basis  for  real-time  specification  languages.  Lee 
and  Davidson  [62]  and  Lee  and  Zwarico  [63j  have  extended  CSP  with  methods  for  specifying 
timeouts  and  delays  associated  with  executing  actions.  Schneider  has  shown  how  extending 
CSP  with  a  single  wait  operator  makes  it  possible  derive  a  large  number  of  other  standard 
timing  operators  [89].  NicoUin  et  al.  [79,  80]  have  extended  ACP  with  a  unit  delay  operator. 
This  operator  can  be  used  to  express  delays  and  timeouts  of  arbitrary  duration.  CCS  has  also 
been  extended  with  operators  for  describing  real-time  processes  [95,  96]. 

1.3.3  Specification  and  Verification 

In  its  most  general  form,  a  specification  is  a  set  of  agents;  verification  is  the  process  of  deter¬ 
mining  whether  a  given  implementation  is  in  the  set  of  agents  of  the  specification. 

If  there  is  some  equivalence  relation  defined  on  the  set  of  agent  models,  and  the  specification 
is  an  equivalence  class,  then  the  specification  can  be  represented  by  one  of  the  agents  in  the 
class.  Several  examples  of  this  style  of  specification  are  based  on  various  kinds  of  observational 
equivalences  [76 1 .  Hierarchical  verification  is  simplified  since  both  the  implementation  and  the 
specification  are  given  by  a  single  agent. 

A  generalization  of  this  is  to  use  a  preorder  on  ent.^^  r  her  than  a  equivalence  relation. 
An  agent  then  represents  the  set  of  aU  agents  that  ai.  less  than  or  equal  to  it  according  to 
this  order.  The  preorder  is  often  based  on  formal  language  containment  [57].  The  idea  is  that 
if  behaviors  are  removed  from  an  agent  that  satisfies  some  s-pecification,  then  the  resulting 
agent  also  satisfies  the  specification.  Verification  can  either  be  done  by  hand  (possibly  with 
assistance  from  an  automated  theorem  prover)  using  refinement  mappings  [68]  or  by  language 
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containment  algorithms  on  automata  [32,  38,  57]. 

Most  work  in  the  literature  on  the  automatic  verification  of  real-time  systems  uses  some  sort 
of  temporal  logic  as  a  specification  language.  These  logics  are  usually  extensions  of  existing 
qualitative  temporal  logics  such  as  CTL  [34]  or  PTL  [66],  which  all  suffer  from  well  known 
limits  in  the  expressiveness  of  propositional  temporal  logics  [97].  A  formula  in  a  temporal  logic 
serves  as  a  specification.  The  set  of  agents  represented  by  the  specification  is  the  set  of  agents 
that  satisfies  the  formula. 

An  implementation  can  be  represented  by  a  formula  in  temporal  logic  (like  the  specification) 
or  it  can  be  represented  by  a  transition  system.  If  the  implementation  is  represented  by 
a  formula  /  and  the  specification  is  represented  by  a  formula  g,  then  the  implementation 
is  correct  if  ar  i  only  if  the  formula  f  A  -^g  is  not  satisfiable;  this  can  be  checked  Using  a 
tableau  construction  [33,  70].  Model  checking  is  used  to  check  whether  a  transition  system 
satisfies  a  given  temporal  logic  formula  [26,  34,  35].  Hierarchical  verification  is  difficult  with 
model  checking  since  the  specification  language  is  different  from  the  languages  used  to  describe 
implementations. 

Ostroff  [81,  82]  extends  linear  temporal  logic  to  include  a  global  clock  variable  that  can 
be  used  in  forming  propositions.  The  semantics  is  defined  on  a  discrete  time  model,  and 
algorithms  are  given  for  automatic  model  checking  of  formulas  in  the  logic.  The  semantics 
and  the  algorithms  are  quite  complicated  however,  and  only  small  verification  examples  have 
been  published.  There  are  other  examples  of  extending  temporal  logics  with  a  discrete  t.  ne 
model  [3,  47,  54],  but  none  of  these  methods  have  been  implemented  and  tested  on  examples. 

Methods  for  model  checking  a  continuous  real-time  extension  of  CTL  have  been  developed 
by  Alur,  Courcoubetis  and  Dill  [l],  and  also  independently  by  Lewis  [65].  It  appears  likely  that 
the  exact  modeling  of  continuous  time  reduces  the  efficiency  of  the  model  checking  algorithms. 
.41ur  and  Henzinger  [4]  give  a  survey  of  these  and  other  real-time  temporal  logics. 

Rather  than  using  a  temporal  logic,  Jahanian,  Mok  and  Stuart  use  RTL  (an  extension 
of  first  order  logic)  to  describe  real-time  systems  and  their  specifications  [51,  52].  If  the 
specification  is  a  theorem  derivable  from  the  formula  representing  the  system,  then  the  system 
is  correct.  The  proof  can  be  automated  using  either  a  first  order  theorem  prover  or  a  decision 
procedure  for  Presburger  Arithmetic.  System  descriptions  can  also  be  written  using  the  event- 
action  model  and  then  mechanically  translated  into  RTL  formulas. 
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1.3.4  Abstraction 

Abstraction  techniques  are  important  for  reducing  the  complexity  of  verification.  We  describe 
here  some  of  the  abstraction  techniques  that  are  closely  related  to  the  conservative  approxi¬ 
mations  from  continuous  time  to  discrete  time  that  we  define  later  in  the  thesis. 

Henzinger,  Manna  and  Pnueli  explore  the  relationship  between  verification  results  obtained 
with  discrete  time  and  continuous  time  models  [47].  They  show  that  for  implementations  given 
by  time  transition  systems,  and  for  specifications  written  in  a  large  subset  of  metric  temporal 
logic,  properties  hold  in  discrete  time  if  and  only  if  they  hold  in  continuous  time.  This  exactness 
result  does  not  give  the  same  amount  of  flexibility  as  conservative  approximations  do  for 
devising  abstractions.  Also,  their  results  appear  to  depend  rather  heavilv  on  the  particular 
behavior  model  that  they  used. 

Kurshan  et  al.  have  verified  several  commercial  communication  (-ystems  and  protocols  44- 
using  powerful  abstractions  techniques  based  on  homomorphisms  on  automata  [57.  58h  The 
abstractions  are  closely  related  to  our  notion  of  conservative  approximation  induced  by  a 
homomorphism.  Our  techniques  for  constructing  domains  of  agent  models  and  conservative 
approximations  are  significantly  more  general,  but  Kurshan  et  al.  have  gained  considerable 
practical  experience  with  their  techniques. 

Kurshan  and  McMillan  [59]  generalized  homomorphisms  on  automata  to  develop  a  semi- 
algorithmic  method  for  extracting  finite-state  models  from  an  analog,  circuit  level  model. 
This  requires  modehng  continuous  time,  as  well  as  continuous  voltage  and  other  physical 
parameters.  The  method  can  be  apphed  directly  to  only  small  circuit  components.  However, 
hierarchical  verification  methods  can  be  applied  in  order  to  verify  larger  circuits.  Although  the 
method  can  relate  particular  continuous  and  discrete  models,  it  does  not  provide  a  relationship 
between  entire  domains  of  agent  models  like  conservative  approximations. 

Reed,  Roscoe  and  Schneider  have  defined  an  extensive  hierarchy  of  timed  models  for 
eSP  [84,  85,  86j.  They  show'  how  abstractions  within  the  hierarchy  can  be  used  to  simplify 
correctness  proofs  [86,  89],  However,  they  do  not  provide  mathematical  tools,  such  as  trace 
algebra  and  trace  structure  algebra,  for  simplifying  extensions  to  the  hierarchy.  .Also,  in  their 
models  behaviors  are  either  untimed  or  have  real- valued  time  stamps;  there  are  no  intermedi¬ 
ate  discrete  time  models.  The  levels  in  the  hierarchy  are  formed  from  various  combinations  of 
timed  and  untimed  CSP  traces,  failures  and  stability  values. 


Chapter  2 

Trace  Algebra,  Part  I 


This  chapter  describes  some  very  general  methods  for  constructing  different  models  of  con¬ 
current  systems,  and  for  proving  relationships  between  these  models.  The  most  important 
of  these  relationships  is  the  concept  of  a  conservative  approximation.  Informally,  a  model  is 
a  conservative  approximation  of  a  second  model  when  the  following  condition  is  satisfied;  if 
an  implementation  satisfies  a  specification  in  the  first  model,  then  the  implementation  also 
satisfies  the  specification  in  the  second  model.  Conservative  approximations  are  useful  when 
the  second  model  is  accurate  but  difficult  to  use  in  proofs  or  with  automatic  verification  tools, 
and  the  first  model  is  an  abstraction  that  simplifies  verification. 

The  formal  methods  we  describe  are  based  on  three  kinds  of  inter-related  algebras:  con¬ 
currency  algebra,  trace  algebra  and  trace  structure  algebra.  Concurrency  algebra  is  based  on 
Dill’s  circuit  algebra  [38]  and  is  a  simple  abstract  algebra  with  three  operations:  parallel  com¬ 
position,  projection,  and  renaming.  The  three  operations  must  satisfy  the  axioms  Cl  through 
C9  (p.  24).  The  domain  (or  carrier)  of  a  concurrency  algebra  is  intended  to  represent  a  set  of 
processes,  or  agents.  Any  set  can  be  the  domain  of  a  concurrency  algebra  if  interpretations 
for  parallel  composition,  projection  and  renaming  that  satisfy  Cl  through  C9  can  be  defined 
over  the  set.  In  this  thesis,  whenever  we  define  an  interpretation  for  these  three  operations,  we 
always  show  that  the  interpretation  forms  a  concurrency  algebra,  which  gives  evidence  that 
the  interpretation  makes  intuitive  sense. 

We  often  use  a  set  of  trace  structures  as  the  domain  of  a  concurrency  algebra.  This  special  ' 
case  of  a  concurrency  algebra  is  a  called  a  trace  structure  algebra.  Each  trace  structure  contains 
a  set  of  traces,  where  each  trace  represents  a  behavior  of  the  agent  modeled  by  the  trace 
structure.  The  kind  of  trace  that  is  used  is  a  parameter  in  our  method.  Any  mathematical 
object  that  satisfies  certain  minimum  requirements  can  be  used  as  a  trace.  These  requirements 
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are  formalized  as  the  axioms  of  trace  algebra.  A  trace  algebra  has  a  set  of  traces  as  its  domain, 
and  defines  the  operations  of  projection  and  renaming  (and  possibly  concatenation)  on  traces. 

In  summary,  a  trace  algebra  has  a  set  of  traces  as  its  domain,  and  each  trace  is  interpreted 
as  an  abstraction  of  a  physical  behavior.  A  sequence  of  actions  is  a  standard  example  of  a  trace, 
but  in  trace  algebra  any  mathematical  object  can  used  as  a  trace  as  long  as  certain  axioms 
are  satisfied.  An  agent  is  modeled  by  a  trace  structure,  which  contains  a  set  of  traces  from 
some  trace  algebra,  representing  the  set  of  possible  behaviors  of  the  agent.  The  operations  of 
paraUel  composition,  projection  and  renaming  are  defined  over  a  domain  of  trace  structures, 
forming  a  trace  structure  algebra.  These  operations  satisfy  the  axioms  of  concurT^ncy  algebra, 
so  a  trace  structure  algebra  is  a  special  case  of  a  concurrency  algebra. 


2.1  Concurrency  Algebra 

Concurrency  algebras  (which  are  based  on  Dill's  circuit  algebra  [38])  have  the  following  opera¬ 
tions  on  agents,  parallel  composition,  projection  and  renaming.  These  operations  satisfy  a  set 
of  axioms,  which  are  intended  to  be  consistent  with  the  intuitive  meaning  of  the  operations. 

Agents  communicate  through  either  shared  actions  or  shared  state  variables.  We  use  the 
term  signal  to  refer  to  either  an  action  or  a  state  variable.  We  associate  with  each  agent  an 
agent  signature  (or  just  signature),  which  describes  sets  of  input  signals  and  output  signals. 

Definition  2.1.  We  use  H  to  denote  a  set  of  signals.  The  set  of  agent  signatures  F  over  W 
is  the  set  of  ordered  pairs  {1,0)  such  that  1  and  0  are  disjoint  subsets  of  H’.  We  use  7 
to  denote  agent  signatures  (often  called  just  signatures) . 

In  a  signature  {1,0)  over  W,  the  set  W  is  usually  infinite  and  the  sets  1  and  0  are  usually 
finite,  but  this  is  not  required. 

Definition  2.2.  If  7  =  (7,0)  is  a  signature  over  W ,  then  .4  =  7  U  0  is  the  alphabet  of-j.  If 
A  is  the  alphabet  of  some  signature,  then  we  call  A  an  alphabet.  Thus,  an  alphabet  over 
W  is  any  subset  of  W. 

Note  2.3.  When  we  mention  a  signature  7,  we  also  implicitly  define  7  and  0  so  that  7  = 
(7 ,  0).  We  also  implicitly  define  A  to  be  the  alphabet  of  7.  If  the  name  of  the  signature 
is  decorated  with  primes  and/or  subscripts,  those  decorations  carry  over  to  the  implicitly 
defined  quantities.  For  example,  mentioning  a  signature  7^  impbcitly  defines  1[,  0[  and 

a;. 
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Note  2.4,  If  an  object  E  has  an  agent  signature  associated  with  it,  we  implicitly  define  7  to 
be  that  signature.  If  the  name  of  the  object  is  decorated  with  primes  and/or  subscripts, 
those  decorations  carry  over  to  the  implicitly  defined  signature.  For  example,  associating 
a  signature  with  an  object  E[  implicitly  defines  a  signature  7j.  This,  as  described  in 
note  2.3,  also  implicitly  defines  I[,  0[  and  .4j. 

The  renaming  operation  uses  a  renaming  function,  which  is  a  bijection  from  one  alphabet 
to  another. 

Definition  2.5.  A  functu  n  r  with  dom(r)  =  A  and  codom(r)  =  B,  where  A  and  B  are 
alphabets  over  W,  is  a  renaming  function  over  IF  if  r  is  a  bijection. 

The  parallel  composition  of  two  agents  E  and  E'  (written  E  |i  E')  corresponds  to,  for  exam- 
ple,  joining  two  circuits  or  running  two  processes  concurrently.  In  the  resulting  composition. 
E  and  E  communicate  through  shared  signals.  W'e  require  that  no  signal  be  an  output  of 
both  E  and  E' .  The  agent  rena.me(r)(E)  is  formed  from  E  by  renaming  the  signals  of  E 
according  to  r.  If  5  is  a  subset  of  the  alphabet  of  E,  then  proj[B)[E)  has  B  as  its  alphabet: 
the  remaining  signals  of  E  are  not  externally  visible.  We  allow  only  outputs  of  E  to  be  hidden, 
so  B  must  contain  all  of  the  inputs  of  E.  The  three  operations  of  concurrency  algebra  satisfy 
several  identities.  AU  of  this  is  formalized  in  the  following  definition. 

Definition  2,6.  A  concurrency  algebra  over  W  has  a  domain  V  of  agents,  and  the  operations 
of  parallel  composition,  projection  and  renaming,  denoted  by  [I,  proj{B)  and  rename(r). 
.Associated  with  each  element  of  V  is  an  agent  signature  from  the  set  T  of  agent  signatures 
o’.-er  W.  Let  E  and  E'  be  elements  of  V  (recall  that  this  implicitly  defines  I,  /',  etc., 
see  note  2.4).  The  signatures  of  E  j  E',  proj[B)[E)  and  rename[r)[E)  are  given  by  the 
following  rules. 

•  If  0  n  O'  =  0,  then  E  ||  E'  is  defined  and  its  signature  is 

((/u/')-(Ouo'),  o  jo’). 

•  If  I  C  B  C  A,  then  proj{B){E)  is  defined  and  its  signature  is  {1,0  H  B). 

•  If  r  is  a  renaming  function  with  domain  A,  then  rename{r){E)  is  defined  and  its 
signature  is  (»’(/), ^(0)),  where  r  is  naturally  extended  to  sets. 
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The  operations  must  satisfy  the  identities  given  below.  In  aU  of  the  identities,  there  is 
an  implicit  assumption  that  the  left  hand  side  of  the  equation  is  defined;  in  each  case,  if 
the  left  hand  side  is  defined,  then  so  is  the  right  hand  side. 

Cl.  {E  li  E')  II  E"  =  E  II  {E'  |:  E"). 

C2.  E\\E'  =  E'  |i  E. 

C3.  renawe(r)(rename(r')(E))  =  rename(r  c  r’')(£'). 

C4.  rename(rXE  |;  E'}  =  rename(r  1  rename(r 

C5.  rename(id^)(£’)  =  E. 

C6,  proj{B){Droj{B'){E))  =  proj{B){E). 

C7.  proj{A){E)  =  E. 

C8.  proj{B){E_  !|  E')  =  proj{B  n  .4)(£’)  :|  proj{B  ^  A'){E’).  if  (.4  .4')  C  B. 

C9.  pioj{r{B)){Tename{r){E))  =  rename(r  \B^r(B)){P^oj{B){E)). 

2.2  Trace  Algebra 

Several  methods  for  verifying  concurrent  systems  are  based  on  checking  for  language  contain¬ 
ment  or  related  properties  [38,  43,  49.  57,  68  .  In  the  simplest  form  of  language  containment- 
based  verification,  each  agent  is  modeled  by  a  formal  language  of  finite  (or  possibly  infinite) 
sequences.  If  agent  T  is  a  specification  and  T’  is  an  implementation,  then  T  is  said  to  satisfy 
T  if  the  language  of  T'  is  a  subset  the  language  of  T.  The  idea  is  that  each  sequence,  some¬ 
times  called  a  trace,  represents  a  behavior;  an  implementation  satisfies  a  specification  iff  all 
the  possible  behaviors  of  the  implementation  are  also  possible  behaviors  of  the  specification. 

The  method  we  use  in  this  thesis  for  verifying  real-time  properties  is  a  generalization  of 
the  language  containment  method.  Traces  are  not  restricted  to  be  sequences,  but  can  be  any 
mathematical  object  that  has  certain  properties.  In  this  section,  these  properties  are  formalized 
in  the  axioms  of  trace  algebra,  which  is  a  kind  of  abstract  algebra  that  has  a  set  of  traces  as  its 
domain.  The  next  section  describes  trace  structure  algebra,  which  has  as  its  domain  a  set  of 


2.2.  TRACE  ALGEBRA 


25 


trace  structures,  each  containing  a  subset  of  the  traces  from  a  given  trace  algebra.  The  notion 
of  one  trace  structure  satisfying  another  is  based  on  trace  set  containment. 

Before  giving  the  formal  definitions  of  these  concepts,  let  us  describe  a  simple  example  of 
a  trace  algebra  and  a  trace  structure  algebra.  Let  the  set  of  traces  over  an  alphabet  .4  be  .4“, 
which  is  the  set  of  finite  and  infinite  sequences  over  A.  A  pair  (7,  P)  is  a  trace  structure  if  'y 
is  a  signature  and  P  C  A°°,  where  A  is  the  alphabet  of  7. 

’We  define  the  operations  of  parallel  composition,  projection  and  renaming  on  trace  struc¬ 
tures  by  first  defining  projection  and  renaming  on  individual  traces.  If  a:  G  -4“  and  B  C  A. 
then  proj{B){x)  is  the  string  formed  from  x  by  removing  aU  symbols  not  in  B.  If  r  is  a 
renaming  function  over  .4,  then  rename(r)(a:j  is  the  string  formed  from  x  by  replacing  every 
symbol  a  with  r(a). 

Projection  and  renaming  on  trace  structures  are  just  the  natural  extensions  of  the  corre¬ 
sponding  operations  on  traces.  In  particular,  if  T  =  ((/,  (9),  P)  is  a  trace  structure,  I  C  B  C  A 
and  r  is  a  renaming  function  over  A,  then 

proj{B](T)  =  {{I,OnB),proj{B){P)), 

rename(r)(T)  =  ((r(/),  r(0)),  renaine(r)(P)), 

where  the  operations  of  projection  and  renaming  on  traces  are  naturally  extended  to  sets  of 
traces.  If  T  =  (7,P)  is  equal  to  the  parallel  composition  of  T'  and  T",  then 

P  =  {x  e  A°°  :  proj{A'){x)  e  P'  A  proj{A"){x)  €  P"}. 

Given  our  definition  of  projection  on  strings,  this  is  a  natural  definition  of  parallel  composition. 
Rem,  'van  de  Snepsheut  and  Udding  s  [87]  definition  of  the  set  of  traces  resulting  from  parallel 
composition  is  almost  identical  to  ours,  except  that  it  is  restricted  to  finite  length  strings. 

Looking  at  the  above  definitions  more  closely,  we  can  see  how  these  concepts  can  be  gen¬ 
eralized  to  unify  many  different  kinds  of  models.  Rather  them  always  using  strings  in  a  formal 
language  as  the  domain  of  traces,  we  can  use  any  domain  that  has  projection  and  renam¬ 
ing  operations  defined  on  it  and  that  satisfies  certain  requirements.  These  requirements  are 
formalized  in  the  axioms  of  trace  algebra.  In  each  case,  the  operations  on  trace  structures 
are  defined  exactly  as  above,  in  terms  of  the  operations  on  individual  traces.  The  resulting 
trace  structure  algebra  satisfies  the  axioms  of  concurrency  algebra  because  the  underlying 
traces  satisfy  the  axioms  of  trace  algebra.  The  remainder  of  this  chapter  formalizes  and  proves 
these  claims,  and  defines  what  it  means  for  one  trace  structure  algebra  to  be  a  conservative 
approximation  of  another. 
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We  make  a  distinction  between  two  different  kinds  of  behaviors:  complete  behaviors  and 
partial  behaviois.  A  complete  behavior  has  no  endpoint.  Since  a  complete  behavior  goes 
on  forever,  it  does  not  make  sense  to  talk  about  something  happening  “after”  a  complete 
behavior.  A  partial  behavior  has  an  endpoint;  it  can  be  a  prefix  of  a  complete  behavior  or 
of  another  partial  behavior.  Every  complete  behavior  has  partial  behaviors  that  are  prefixes 
of  it;  every  partial  behavior  is  a  prefix  of  some  complete  behavior.  The  distinction  between 
a  complete  behavior  and  a  partial  behavior  has  only  to  do  with  the  length  of  the  behavior 
(that  IS,  whether  or  not  it  has  an  endpoint),  not  with  what  is  happening  during  the  behavior; 
whether  an  agent  does  anything,  or  what  it  does,  is  irrelevant. 

Complete  traces  and  partial  traces  are  used  to  model  complete  and  partial  behaviors, 
respectivelv.  A  given  object  can  be  both  a  complete  trace  and  a  partial  trace;  what  is  being 
represented  in  a  given  case  is  determined  from  context.  For  example,  a  finite  string  can 
represent  a  complete  behavior  with  a  finite  number  of  actions,  or  it  can  represent  a  partial 
behavior.  The  form  of  trace  algebra  we  define  here  has  only  complete  traces;  it  is  intended 
to  represent  only  complete  behaviors.  Trace  algebra  with  partial  traces  will  be  defined  in 
chapter  4.  We  use  the  symbol  ‘C’  to  denote  trace  algebras.  Since  we  only  consider  here  trace 
algebras  with  complete  traces  and  without  partial  traces,  we  use  a  subscript  ‘C”  {e.g.,  ‘Cc’)  to 
denote  the  trace  algebras  used  in  this  chapter. 

Definition  2.7.  A  trace  algebra  Cc  over  W  is  a  triple  {Be,  proj,  rename).  For  every  alphabet 
A  over  W,  Bc{A)  is  a  non-empty  set,  called  the  set  of  traces  over  .4  Slightly  abusing 
notation,  we  also  write  Be  as  an  abbreviation  for 

U  {Bc(A)  :  A  is  an  alphabet  over  W}. 

For  every  alphabet  B  over  W  and  every  renaming  function  r  over  W,  proj{B)  and 
rename(r)  are  partial  functions  from  Be  to  Be-  The  following  axioms  Tl  through  T8 
must  also  be  satisfied.  For  all  axioms  that  are  equations,  we  assume  that  the  left  side  of 
the  equation  is  defined. 

Tl.  proj{B){x)  is  defined  iff  there  exists  an  alphabet  A  such  that  x  €  Bc{A)  and  B  C  A. 

When  defined,  pToj{B){x)  is  an  element  of  Bc{B). 

T2.  proj{B){proj{B'){x))  =  proj{B){x). 

T3.  If  X  €  Bc(A),  then  proj(A)(x)  —  x. 
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T4.  Let  X  €  Bc{A)  and  x'  €  Bc{A')  be  such  that  proj{A  H  A'){x)  =  proj{A  fl  A'){x'). 
For  all  A"  where  AC  A'  C  A'\  there  exists  x"  G  Bc{A'')  such  that  x  =  proj{A){x") 
and  x'  =  proj{A’){x"). 

T5.  renaine(r)(a:)  is  defined  iff  a:  G  Bc{dom[r)).  When  defined,  rena,ine[r)[x)  is  an 
element  of  Bc(codoin(r)). 

T6.  renaine(r)(renaine(r')(x))  =  renaine(r  o  r‘^)(2;). 

T7.  If  a;  G  Bc(A),  then  rename(id^)(x)  =  x. 

T8.  proj(r(5))(rename(r)(a:))  =  rename(r  lB_,(B))(proj(5)(a;)). 

T1  and  T5  state  when  the  operations  on  traces  are  defined.  T2,  T3,  T6,  T7  and  T8  are 
natural  properties  corresponding  to  C6,  C7,  C3,  C5  and  C9,  respectively.  The  remaining 
axiom,  T4  is  a  kind  of  “diamond  property”,  as  illustrated  in  figure  2.1.  As  an  example  of 
applying  T4,  consider  the  case  where  traces  are  sequence?.  Let  A  =  {a, 6},  A'  =  {b,c}, 
X  =  abab  and  x  ~  bcb.  Clearly  proj{A  H  i4^)(x)  and  proj[A  H  A')[x')  are  both  equal  to  bb. 
Choosing  x"  =  abacb  demonstrates  the  T4  holds  for  this  pair  of  sequences.  Intuitively.  T4 
requires  that  if  two  traces  x  and  x'  are  compatible  on  their  shared  signals  (Le.,  A  fl  .4'),  then 
there  exists  a  trace  x"  that  corresponds  to  the  synchronous  composition  of  x  and  x'. 

Note  2.8.  We  naturally  extend  the  renaming  and  projection  operations  on  traces  to  opera¬ 
tions  on  sets  of  traces.  For  example,  if  rename(r)(a:)  is  defined  for  every  x  in  A”,  then 
rename{r){X)  is  defined  such  that 

rename(r)(A’’)  =  {rename(r)(i)  :  x  G  A"}. 

2.2.1  Examples 

As  an  example  trace  algebra,  we  formalize  the  trace  algebra  briefly  described  at  the  beginning 
of  section  2.2,  which  we  call  Cq.  We  always  use  the  symbol  ‘C’  to  denote  trace  algebras,  and  the 
superscript  ‘7’  is  a  mnemonic  for  an  (untimed)  interleaving  model;  the  subscript  ‘C’  indicates 
that  there  are  only  complete  traces  in  the  trace  algebra  [i.t.,  a  trace  algebra  without  partial 
traces). 

Definition  2.9.  For  a  given  set  of  signals  W,  the  trace  algebra  Cc  =  {Bc^pioj^ , rename^) 
over  W  is  defined  as  follows: 
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x"  €  B{A") 


Figure  2.1;  According  to  T4,  if  there  exists  an  x  and  an  x'  that  satisfy  the  lower  half  of  the 

diamond,  then  there  exists  an  x"  that  satisfies  the  upper  half,  for  anv  alphabet  A"  such  that 
.4  U  A'  C  A". 


•  For  every  alphabet  A  over  PF,  the  set  Bq{A)  of  traces  over  .4  is  A°^. 

•  If  X  G  Bc(A)  and  B  C  A,  then  proj^{B){x)  is  the  sequence  formed  from  x  by 
removing  every  symbol  a  nol  in  B.  More  formally,  if  x’  =  pToj\B){x),  then 

ien(x')  =  |{i  €  A"  :  0  <  i  <  ien(x)  A  x{j)  G  B] 

and  X  (k)  =  x(n)  for  all  A:  <  len(x'),  where  n  is  the  unique  integer  such  that 
x(n)  G  B  and 

^  —  l{j  S  :  0  <  j  <  n  A  x(j)  G  B}|. 

•If  X  €  B^(A)  and  r  is  a  renaming  function  over  W  with  domain  A,  then 
rename(r)(x)  =  An  G  Af'^[r{x{n))]. 

Note  2.10.  For  the  trace  algebra  (and  analogously  for  other  trace  algebras  defined  later) 
we  often  drop  the  superscript  7’  when  writing  proj^  and  renamed 
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Trace  algebra  can  be  used  to  construct  a  large  variety  of  behavior  models.  The  trace 
algebra  Cq,  for  which  Bc{A)  =  A°°,  is  just  one  example.  To  provide  more  intuition  about  the 
range  of  possible  trace  algebras,  we  informally  describe  several  examples. 

The  simplest  possible  trace  algebra  has  exactly  one  trace;  call  it  xq.  For  any  alphabet  .4, 
the  set  of  traces  over  A  is  Bc{A)  =  {lo}-  If  B  is  an  alphabet  and  r  is  a  renaming  function, 
then  pToj{B){xQ)  and  rename(r)(2:o)  are  defined  and  are  equal  Xq.  This  trace  algebra  does  not 
distinguish  between  any  behaviors;  all  behaviors  are  represented  by  the  same  trace.  For  this 
reason  it  is  not  a  useful  trace  algebra,  but  it  does  satisfy  the  necessary  axioms. 

A  slightly  more  complicated  trace  algebra  has  Bc{A)  -  2^.  For  any  trace  x,  proj{B){x) 
is  defined  and  is  equal  to  x  H  B.  On  the  other  hand,  rename(7’)(2:)  is  defined  iff  i  C  dom(r); 
when  defined,  it  is  equal  to  r(x),  where  is  r  is  naturally  extended  to  sets.  It  is  easy  to  show 
that  this  trace  algebra  satisfies  Tl  through  T8;  in  particular,  if  x  and  x'  satisfy  the  hypothesis 
of  T4,  then  x"  =  x\J  x'  is  sufficient  to  show  that  T4  is  satisfied.  Traces  in  this  trace  algebra 
do  not  provide  any  information  about  actions  occurring  in  sequence,  only  Information  about 
what  actions  occurred  a  non-zero  number  of  times  during  a  behavior.  Alternatively,  i{  a  Q  x, 
then  this  could  be  interpreted  to  mean  that  a  occurred  an  odd  number  of  times  during  the 
behavior  represented  by  x. 

Traces  in  the  last  two  examples  provide  less  information  about  a  behavior  than  do  traces 
in  C^.  As  an  example  of  a  trace  algebra  that  provides  more  information  than  Cq,  let  Bc{A)  = 
(2"*)".  For  any  trace  i,  proj{B){x)  is  defined  and  is  formed  from  x  by  intersecting  each  element 
of  the  sequence  with  B.  The  function  renanie(r)  is  the  natural  extension  of  r  to  sequences  of 
sets.  Unlike  traces  in  ,  these  traces  can  be  interpreted  as  providing  information  about  the 
time  at  which  events  occur.  If  x  is  such  a  trace,  then  x(n)  is  the  set  of  events  that  occurred 
at  time  n.  The  set  x(n)  must  be  defined  for  all  integers  n;  therefore,  each  trace  x  must  be  an 
Infinite  sequence.  This  trace  algebra  ran  be  shown  to  be  isomorphic  to  the  synchronous  time 
trace  algebra  (definition  3.6,  p.  60). 

A  trace  algebra  that  provides  an  intermediate  amount  of  information  between  the  last 
example  and  can  be  constructed  by  letting  Bc(A)  =  (2'^  —  {0})°“.  The  renaming  operation 
is  the  same  as  the  last  example,  except  that  it  is  also  extend  to  finite  sequences.  Projection  is 
similar  to  the  last  example,  except  that  after  doing  the  intersection,  any  instances  of  the  empty 
set  that  result  must  be  removed  from  the  sequence.  Like  C^,  this  trace  algebra  is  untimed; 
however,  it  represent  simultaneity  explicitly,  unlike  interleaving  semantics. 

In  chapter  3,  we  describe  the  continuous  time  trace  algebra  There  each  trace  over 

an  alphabet  A  is  an  element  of  2"*^*  ,  where  3?^  is  the  set  of  non-negative  real  numbers. 
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Each  trace  is  a  set  of  events;  each  event  is  an  ordered  pair  of  an  action  and  a  time  stamp. 
An  isomorphic  trace  algebra  can  be  constructed  by  taking  advantage  of  the  natural  bijection 
between  2^"*"  and  ^  2^.  If  i  is  a  trace  in  3?*  ^  2^,  then  x(0  is  the  set  of  actions  that 
occurred  at  time  t. 

All  of  the  trace  algebras  we  have  described  are  action  based,  but  trace  algebra  can  also  be 
used  for  state  based  models.  For  an  agent  with  alphabet  .4,  we  interpret  each  a  G  .4  as  a  state 
variable.  Let  1  be  the  set  of  values  that  can  be  taken  by  state  variables.  Then,  each  state  is 
an  element  of  .4  ^  1  .  A  trace  algebra  based  on  sequences  of  states  would  have  Bc{A)  equal 
to  (.4  ^  r)“,  which  can  also  be  written  as  A'^  — >  (.4  — »  T). 

For  a  continuous  time,  state  based  model,  let  Bc(.4)  =  3?^  ^  (,4  — .  I').  If  x  is  such  a 
trace,  then  x(t)  is  the  state  at  time  t.  If  1  is  the  set  of  real  numbers,  then  this  trace  algebra 
could  be  used  as  a  circuit  model  that  represents  both  continuous  time  and  continuous  voltage. 

In  section  2.3  we  show  how  trace  algebras  can  be  used  to  construct  trace  structure  algebras. 
We  can  then  discuss  how  the  above  trace  algebra  examples,  which  provide  different  models  of 
individual  behaviors,  lead  to  different  models  of  agents. 


2.2.2  Proofs 

This  section  proves  that  is  trace  algebra.  It  maj'  be  skipped  on  first  reading. 

Lemma  2.11.  Cq  is  a  trace  algebra. 

Proof.  To  show  that  is  a  trace  algebra,  we  must  show  that  it  satisfies  Tl  through  T8. 
Tl,  T3,  T5,  T6  and  T7  are  easy  to  show.  All  that  remains  is  T2,  T4  and  T8. 

Lemma  2.12.  satisfies  T2. 

Proof.  Let  x  G  5c(.4)  and  B  C  B'  C  A.  We  must  show  that 
proj{B){pToj{B'){x)]  =  proj(B)(x). 

The  proof  can  be  divided  into  three  cases  depending  on  whether  proj(B)(x)  and 
proj(B')(x)  are  finite  or  infinite  length  strings  (notice  that  it  is  impossible  for 
proj(B  )(x)  to  be  finite  when  proj(B)(x)  is  infinite).  W’e  only  consider  the  case 
where  both  are  infinite,  the  other  cases  are  analogous.  In  this  case,  x  is  of  the  form 


X  =  yo  bo  yibi  ■■■  yn  bn  •  •  • , 
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where  yi  e  {A  -  B)'  and  bi  G  B.  Thus, 
proj(B)(x)  =  bobi 
For  all  i,  the  trace  is  of  the  form 

yi  —  "i,0  b-  Q  Zi^-[  J  •  •  •  ^i,nii 

where  Zij  G  {A  —  B')*  and  bij  E  B'  -  B.  Let 
y'i  =  proj{B'){y,) 

which  is  an  element  of  {B'  —  B)*.  Clearly, 

proj{B){proj{B'){x))  =  proj(5)(y'  boy[bi  ...  y'^b^---) 

=  bo  bi  .  •  ■  bn  ■  •  ■ 

=  proj{B){x). 

□ 

Lemma  2.13.  satisfies  T4. 

Proof.  We  consider  the  case  where  proj{A  H  A'){x)  and  proj{A  n  A'){x')  are  of  infinite 
length;  the  finite  case  is  similar.  In  this  case  x  and  x'  are  of  the  form 

iC  —  Xq  OiQ  X 1  Clj  *  '  '  Xfi  *  '  * 

'  f  f  f  f 

X  —  Iq  Oq  ij  Oj  •  •  •  x^  •  •  •  j 

where  the  and  a'-  are  elements  of  A  H  A’,  and  Xi  £  (.4  -  .4')*  and  x[  £  {A'  —  .4)*. 
If  we  assume  that 

proj(A  n  A')(i)  =  proj(A  Pi  .4')(i'), 
then  di  =  a'-  for  every  i.  An  example  of  an  x"  that  satisfies  T4  is 
X  —  Xq  Xq  do  Ij  Ij  ffli  •  •  •  Xji  Xn  dji  •  •  •  , 

since 

proj(A)(x")  =  XodoXidi  XnOn  ■■■ 


X 
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and 


P^oj(^A  )(2:  )  —  Iq  ffio  tti  •  •  •  a„  •  •  • 

=  x'. 


Lemma  2.14.  satisfies  T8. 

Proof.  We  consider  the  case  where  proj(B)(x)  is  of  infinite  length;  the  finite  case  is 
similar.  In  this  case,  x  is  of  the  form 

X  =  yo  bo  yib:  •  •  •  i/„  6„  •  •  • , 

where  j/i  6  (.4  -  5)*  and  6.-  G  B.  Thus, 

re.name(r  iB^r(B])(projiB)(x))  =  rename(r  lB^r(B))ibo  bi  ■  ■  ■  b„  ■  ■  ■) 

=  ribo)r(bi)  •••  r(b„)  ■  ■  ■ . 

For  all  i,  let 

y'i  =  rename{r)(yi). 

Clearly, 

proj(r(5))(rename(r)(a;))  =  proj{r{B)){y'^r{bo)  y[r{br)  '  •  •  yX^n)  •  •  •) 

=  r{bo)r{b^)  ■■■  r{bn)  ■■■ 

=  rename(r  lg_(g))(proj(5)(j)). 


□ 

2.3  Trace  Structure  Algebra 

We  are  now  ready  to  define  the  concept  of  a  trace  structure  algebra.  Trace  structures  are 
constructed  from  the  traces  of  a  trace  algebra,  and  are  used  to  represent  agents.  Here  we 
consider  trace  structures  that  contain  one  set  of  traces,  which  represents  the  set  of  possible 
behaviors  of  an  agent. 
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Definition  2.15.  Let  Cc  =  (Be, pro j, rename)  be  a  trace  algebra  over  W.  The  set  of  trace 
structures  over  Cc  is  the  set  of  ordered  pairs  (7,  P),  where 

•  7  is  a  signature  over  W , 

•  A  is  the  alphabet  of  7,  and 

•  P  is  a  subset  of  Bc{A). 

We  call  7  the  signature  and  P  the  set  of  possible  traces  of  a  trace  structure  T  =  (j.P). 

A  trace  structure  (7,P)  represent  an  agent  with  signature  7;  each  trace  in  P  represents  a 
possible  complete  behavior  of  the  agent. 

Note  2.16.  When  we  mention  a  trace  structure  T,  we  implicitly  define  7  to  be  its  signature 
and  P  to  be  its  set  of  possible  traces.  If  the  name  of  the  trace  structure  is  decorated 
with  primes  and/or  subscripts,  those  decorations  carry  over  to  the  implicitly  defined 
quantities.  For  example,  mentioning  a  trace  structure  T{  implicitly  defines  a  signature 
7j  and  P(.  This,  as  described  in  note  2.3,  also  implicitly  defines  7j,  0[  and  A\. 

Definition  2.17.  IfCc  =  (Be,  proj,  rename)  is  a  trace  algebra  over  W  and  T  is  a  subset  of  the 
trace  structures  over  Cc,  then  Ac  =  (Cc,T)  is  a  trace  structure  algebra  iff  the  domain 
T  is  closed  under-  the  following  operations  on  trace  structures:  parallel  composition 
(def.  2.18),  projection  (def.  2.19)  and  renaming  (def.  2.20). 

We  use  the  subscript  C  in  Ac  to  denote  a  trace  structure  algebra  that  is  built  from  a  trace 
algebra  Cc  that  has  only  complete  traces  (no  partial  traces).  In  chapter  4,  we  w'ill  define  trace 
structure  algebras  that  are  constructed  from  trace  algebras  with  both  complete  and  partial 
traces. 

To  complete  the  definition  of  trace  structure  algebra,  we  need  to  define  the  operations  on 
trace  structures  mentioned  in  definition  2.17. 

Definition  2.18.  If  0  Pi  O'  =  0,  then  T"  =  T\\T'  is  defined  and 

7"  =  ((/U7')-(0U0'),  OUO') 

P"  =  {a:  €  Bc(A")  :  proj(A)(x)  €  P  A  proj(A')(x)  6  P'}. 

Definition  2.19.  If  7  C  P  C  A,  then 

proj(B)(T)  =  ((7,  0  n  B),proj(B)(P)). 
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Definition  2.20.  If  r  is  a  renaming  function  with  domain  A,  then 


rename{r){T)  =  ((r(/),r(0)),  rename(r)(P)). 

It  can  be  shown,  using  the  axioms  of  trace  algebra,  that  the  operations  of  parallel  com¬ 
position,  projection  and  renaming  on  trace  structures  form  a  concurrency  algebra  (see  theo¬ 
rem  2.22). 

We  want  to  use  trace  structure  algebras  as  the  basis  for  a  verification  methodology,  which 
requires  defining  what  it  means  for  an  implementation  to  satisfy  a  specification  when  both  are 
given  by  trace  structures.  Our  notion  of  satisfaction  is  based  on  trace  set  containment:  an 
implementation  satisfies  a  specification  iff  it  is  contained  by  the  specification. 

Definition  2.21.  We  say  T  ZT'  (read  T  is  contained  in  T')  iff  7  =  7'  and  P  C  P' . 

The  operations  of  parallel  composition,  renaming  and  projection  are  monotonic  with  re¬ 
spect  to  trace  structure  containment  (see  theorem  2.26).  The  monotonicity  of  parallel  com¬ 
position  IS  important  for  using  trace  structure  algebras  as  a  basis  for  hierarchical  verification 
techniques. 

2.3.1  Examples 

Let  us  consider  how  some  of  the  example  trace  algebras  discussed  in  section  2.2.1  can  be  used 
to  construct  trace  structures,  and  how  the  different  definitions  of  projection  on  traces  lead  to 
different  notions  of  parallel  composition  of  trace  structures. 

Consider  trace  structures  over  the  trace  algebra  C^.  The  set  of  possible  traces  of  a  trace 

structure  with  alphabet  A  is  a.  subset  of  Bc{A),  which  in  this  case  is  .4“.  Consider  the  trace 
structures 

T  =  {{{a,b},  d),  {abab}) 

0)5  {^c6}). 

By  the  definition  of  parallel  composition  in  a  trace  structure  algebra,  the  set  of  possible  traces 

of  r  =  T\\r  is 

P"  =  ^  Bc{{a,b,c})  :  proj{{a,b}){x)  e  P  Aproj{{b,c}){x)  e  P'} 

=  {abacb,abcab}. 
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This  example  illustrates  how  parallel  composition  results  in  nondeterminism  in  this  model. 

However,  parallel  composition  does  not  lead  to  nondeterminism  when  the  underlying  trace 
algebra  is  the  one  with  Bc(A)  =  (2^)“  described  in  section  2.2.1.  Let 

r  =  (({6,4,  0),  {({6},  {4,  {6})}) 


Here  the  set  of  possible  traces  of  T"  =  T  [!  T’  is  the  singleton  set 

P"={({a,4,{a,4,  {6})}. 

The  relevant  difference  between  this  model  and  the  interleaving  model  is  that  here  each  trace 
provides  more  information  about  the  time  of  occurrence  of  events.  As  a  result,  the  order  of 
events  is  fully  determined  when  “merging”  together  two  local  traces  to  form  a  global  trace 
of  a  composition.  Global  traces  are  also  fully  determined  in  the  cases  where  traces  over  in 
alphabet  A  are  elements  of  (A  F)"  or  ^  (A  ^  V). 

Another  case  where  parallel  composition  does  lead  to  nondeterminism  is  the  one  described 
in  section  2.2.1  where  BdA)  =  (2^  -  {0})“.  In  this  case,  for  T  and  T  defined  as  above,  the 
set  of  possible  traces  of  T"  =  T  |'  T'  is 

p"  =  {({a,4,{4,{4,{4), 

({a, 6},  {a,c},  {6}), 

({a, 6},  (4,  {a},  {b})}. 

2.3.2  Proofs 

This  section  proves  that  trace  structure  algebras  are  concurrency  algebras  and  that  the  oper¬ 
ations  on  trace  structures  are  monotonic  with  respect  to  trace  structure  containment. 

Theorem  2.22.  Trace  structure  algebras  are  concurrency  algebras. 


Proof.  By  definition,  the  domain  T  of  trace  structures  is  closed  under  projection,  composi¬ 
tion  and  renaming.  We  must  show  that  Cl  through  C9  are  also  satisfied. 

Lemma  2.23.  Trace  structure  algebras  satisfy  Cl. 
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Proof.  Let  Ti  —  (T  ||  T')  |]  T"  and  T2  —  T  \\  (T'  ||  T").  Using  T2  and  definition  2.18,  it 
is  easy  to  show  that  both  Pi  and  P2  are  equal  to 

{x  e  Bc{Ai)  :  proj{A){x)  €  5  A  proj{A'){x)  e  S'  A  proj{A"){x)  e  5"}. 

□ 

C2  is  obvious  from  the  definition  of  parallel  composition.  C3  follows  easily  from  T6 
and  the  definition  of  rename  on  sets  of  traces  and  on  trace  structures. 

Lemma  2.24.  Trace  structure  algebras  satisfy  C4. 

Proof.  Let  T"  =  rename(r){T  ||  T').  Then 

P"  =  Tename{r)({x  e  Bc{A  U  .4')  ;  proj{A){x)  e  F  A  proj{A'){x)  €  P'}) 

=  {rename{r)(x)  €  Bc{r{A  U  ’/!'))  ; 

proj{A){x)  e  P  A  proj{A'){x)  G  P'}) 
by  T6  and  T7 

=  {rename(r)(a:)  €  Bc{r(A  U  A'))  : 

rename(r  l^^,(^))(proi(A)(a:))  €  rename(r  '^_,(^))(P) 

A  rename(r  |^.^,(^,))(proj(A')(a:))  €  rename(7-  |^,_,(^,))(P')} 

by  T8 

=  {rename(r)(s)  G  Bc{r{A  U  .4'))  : 

proj{r{A)){rename{r){x))  e  rename{r  1^_,.(^))(P) 

A  proj{r{A')\rename{r){x))  e  renaine{r  |^,_,.(^,))(P')} 
by  T6  and  T7 

=  {3/  €  Bc{r{A  U  ^'))  :  Proj(r  '^_,(^)(.4))(7/)  G  rename(r  !^_,(^))(P) 
P^oj{r  \A'-,r{A')i^^'))iy)  ^  Tename{r  1^-_,.(^,))(P')}. 

Thus,  P"  is  equal  to  the  set  of  possible  traces  of 

rename(r  |!  rename(r-  ! 

□ 

C5  follows  from  T7,  C6  follows  from  T2,  and  C7  follows  from  T3. 
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Lemma  2.25.  Trace  structure  algebras  satisfy  C8. 

Proof.  Let  Ti  =  pToj{B){T  ||  T')  and  Tj  =  proj{B  n  A){T)  ||  proj{B  D  .4')(r),  where 
AC  A'  C  B  C  Ac  A'.  It  is  easy  to  check  that  Ti  and  T2  have  the  same  signature; 
we  must  show  that  Pj  =  Pj-  Let  y  €  Bc{B),  and  assume 

proj(B  n  A){y)  e  proj{B  H  A)(P}. 

Then, 

proj{B  n  .4)(2/)  G  proj(B  fl  >1)(P) 

32  €  P[proj(5  n  .4)(t/)  =  proj(B  fl  .4)(2)] 
by  T4 

<=>  32  G  P[da:  G  Bc(B  U  .4)[j/  =  proj(B)(x)  A  z  =  proj(A)(x) 

A  proj(B  n  .4)(y)  =  proj{B  H  .4)(2)]] 
by  substitution  for  y  and  2 

^  32  €  P[3i  €  Bc{B  L  -4)[t/  =  proj(B)(x)  A  2  =  proj(A)(x) 

A  proj(B  n  A)(pzoj(B)(x))  =  proJ(B  n  A)(proj(.4)(a;))]] 

by  T2 

^  32  €  P[3x  €  Bc(B  U  .4)[y  =  proj(B)(x)  A  2  =  proj(.4)(x)]] 

3x  G  Bc(B  U  .4)[y  =  proj(P)(x)  A  proj(A)(x)  6  P]. 

Similarly, 

proj(B  n  A')(y)  €  proj(B  n  .4')(P') 

3x'  e  Bc(B  U  .4')[y  =  proj(P)(x')  A  proj(A')(x')  €  P']. 
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We  use  these  facts  to  show 

P2  =  {y  ^  ^ciH)  ■  proj(B  n  A)(y)  e  proj(B  n  A){P) 

A  proj(B  n  A')(y}  e  proj(B  n  A'){P')} 
as  shown  above 

=  {ye  Bc{B)  :  Bx  e  Bc{B  U  .4)[3a:'  e  Bc{B  U  .4')[ 
y  =  proj{B){x)  A  proj{A){x)  e  P 
A  2/  =  proj{B){x')  A  proj{A'){x')  E  P']]} 
by  T4,  since  AC  A'  C  B  C  A\J  A' 

=  [ye  Bc{B)  :3xeBc{Bu  A)l3x'  e  BcyB  J  A')[^x"  e  Bc{A  j  A')[ 
y  =  proj{B){x)  A  proj{A){x)  E  P 
Ay  =  proj{B){x')  A  proj{A'){x')  E  P' 

Ax  =  proj{B  U  A){x")  Ax'  =  proj{B  U  .4'ifr'''J]]} 
by  T2  and  substitution  for  x  and  x' 

=  {y  €  Bc{B)  :  3®"  E  Bc{A  U  A')[y  =  proj{B){x") 

A  proj(A)(x"}  E  P  A  proj(A')(x")  E  P']} 

=  Pi. 


C9  follows  easily  from  T8. 

□ 

Theorem  2.26.  Parallel  composition,  rename  and  proj  are  monotonic  with  respect  to  trace 
structure  containment. 

Proof.  Let  T  and  T  be  arbitrary  trace  structures  such  that  T  C  T.  The  theorem  follows 
from  following  propositions,  all  of  which  are  easily  proved: 

.  T  II  T"  C  r  II  T", 
rproj{B){T)Cproj{B){r), 

•  rena.me{r){T)  C  rena.me{r){T'). 

□ 
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2.3.3  Constructing  Trace  Structure  Algebras 

The  definition  of  a  trace  structure  algebra  Ac  =  (Cc?  T)  requires  that  the  set  of  trace  structures 
T  be  closed  under  the  operations  on  trace  structures.  This  section  proves  three  theorems  that 
make  it  easier  to  prove  closure,  and  shows  how  to  use  these  theorems. 

The  first  theorem  states  that  if  T  is  equal  to  the  set  of  all  trace  structures  over  Cc,  then  T 
is  closed  under  the  operations  on  trace  structures,  so  Ac  is  a  trace  structure  algebra.  Recall 
that  the  alphabet  of  a  trace  structure  need  not  be  a  finite  set.  The  second  theorem  shows 
that  the  set  of  all  trace  structures  with  finite  alphabets  is  closed  under  the  operations  on  trace 
structures. 

For  the  third  theorem,  let  (Cc,T)  be  a  trace  structure  algebra,  where  T  is  some  subset 
of  the  set  of  trace  structures  over  Cc-  For  every  alphabet  B,  let  C{B)  be  a  class  of  sets  of 
complete  traces  over  B,  that  is,  C{B)  C  Assume  that  C  is  closed  under  intersection, 

renaming,  projection  and  “inverse  projection”  (this  is  formalized  below).  Let  T'  be  the  set  of 
trace  structures  (j,P)  €  T  such  that  P  is  in  C(.4).  Then  T'  is  closed  under  the  operations 
on  trace  structures,  so  {Cci2  ')  is  a  trace  structure  algebra. 

Let  be  the  set  of  all  trace  structures  over  Cq.  By  the  first  theorem,  Ac  = 
a  trace  structure  algebra.  Let  be  the  set  of  all  trace  structures  (7,?)  over  for  which 
7  has  a  finite  alphabet  and  P  is  a  mixed  regular  set  of  sequences  (that  is,  P  is  the  union  of  a 
regular  set  and  an  w-fegular  set).  By  the  second  and  third  theorems,  =  (C^,r^^)  is  also 
a  trace  structure  algebra. 

The  remainder  of  this  section  formalizes  and  proves  these  results. 

Theorem  2.27.  If  Cc  is  a  trace  algebra  and  T  is  the  set  of  all  of  the  trace  structures  over 
Cci  then  T  is  closed  under  the  operations  on  trace  structures,  so  Ac  =  (Cc,  T)  is  a  trace 
structure  algebra. 

Proof.  The  result  of  any  operation  on  trace  structures  is  always  some  trace  structure  T. 
Since  T  is  the  set  of  all  trace  structures,  T  E  T.  Therefore,  by  the  definition  of  a  trace 
structure  algebra,  Ac  =  (Cc,T)  is  a  trace  structure  algebra. 

□ 

Theorem  2.28.  Let  Ac  =  {Cc,T)  be  a  trace  structure  algebra.  Let  T'  be  the  set  of  trace 
structures  T  E  T  such  that  the  alphabet  of  T  is  a  finite  set.  Then  A'c  =  (Cc,T')  is  a 
trace  structure  algebra. 
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Proof.  It  is  easy  to  verify  that  the  operations  on  trace  structures  piodtice  trace  structures 
with  finite  alphabets  if  the  arguments  to  the  operations  have  finite  alphabets.  This  h 
sufficient  show  that  is  closed  under  the  operations  on  trace  structures. 


□ 


Definition  2.29.  Let  T  be  a  set  of  trace  structure  over  some  trace  algebra  Cc-  The  set  of 
alphabets  of  T  is  the  set  of  alphabets  v4  of  a  signature  7  in  the  set 

{7:3P[(7,P)6r]}. 

Theorem  2.30.  Let  Ac  =  iCc,T)  be  a  trace  structure  algebra.  For  every  alphabet  B  of  T, 
let  C{B)  be  a  subset  of  Let  T  be  the  set  of  trace  structures  T  £  T  such  that  P 

is  in  C{A).  Then  A'c  =  {Cc,T')  is  a  trace  structure  algebra  if  the  following  requirements 
are  satisfied  for  every  alphabet  B  olT . 

Ll.  C{B)  is  closed  under  intersection. 

L2.  1{B'  CB  and  €  £(5),  then  pToj{B'){X)  £  C{B'). 

L3.  If  5  C  B'  and  X  £  C{B),  then 

{x  €  Bc{B‘) ;  pToj{B){x)  €  X}  €  C{B'). 

L4.  If  r  is  a  renaming  function  with  domain  B  and  X  £  C{B),  then  rename{r){X)  £ 
£(r(5)). 


Proof.  We  must  show  that  A'c  is  closed  under  the  operations  on  trace  structures.  To  show 
that  T'  is  closed  under  composition,  let  T,T'  £  T'  and  let  T"  =  T  I,  T'.  Then.  P"  is 
in  C{A"),  since  C{A)  is  closed  under  intersection  (Ll)  and  “inverse  projection”  (L3). 
Closure  under  projection  and  renaming  follows  easily  from  L2  and  L4,  respectively. 

□ 

Definition  2.31.  We  define  Ac  to  be  the  ordered  pair  where  is  the  set  of  all 

trace  structures  over  By  theorem  2.27,  Ac  i®  ^  trace  structure  algebra. 
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Definition  2.32.  We  define  to  be  the  set  of  all  trace  structures  T  =  (7,  P)  over  Cq  for 
which  7  has  a  finite  alphabet  and  P  is  a  mixed  regular  set  of  sequences.  Also,  is 
the  ordered  pair  {Cq,T^^).  By  theorem  2.33  (below),  is  a  trace  structure  algebra. 

Theorem  2.33.  A(p  is  a  trace  structure  algebra. 

Proof.  Let  T'  be  the  set  of  T  G  with  a  finite  alphabet.  By  theorem  2.28,  since  Aq  = 
is  a  trace  structure  algebra,  so  is  {Cc,T').  For  all  finite  alphabets  B  of  A^ . 
let  C{B)  be  the  set  of  mixed  regular  languages  over  B.  It  is  easy  to  verify  that  C{B) 
satisfies  Ll  through  L4.  Let 

T"  =  {T  er  :P  e  £(.4)}. 

By  theorem  2.30,  since  Ac  —  {Cci'^')  is  ^  trace  structure  algebra,  so  is  {Cc,T").  Notice 
that  T"  is  equal  to  Therefore,  A^  =  {Cc,T^^)  is  a  trace  structure  algebra. 


□ 


2.4  Conservative  Approximations 

In  the  next  chapter  we  show  that  discrete  time  trace  structures  are  a  conservative  approxima¬ 
tion  of  continuous  time  trace  structures.  In  preparation  for  that  result,  we  define  here  what  it 
means  for  one  trace  structure  algebra  to  be  a  conservative  approximation  of  another. 

A  conservative  approximation  from  Ac  =  {Cc^T)  to  A'q  =  {C'c.T’)  is  an  ordered  pair 
^  where  and  are  functions  from  T  to  T' .  For  a  given  trace  structure  T  in 

Xc,  the  trace  structure  ^i{T)  is  a  kind  of  lower  bound  of  T,  while  4'u(T)  is  an  upper  bound 
(relative  to  the  ‘C’  ordering  on  trace  structures).  Here  we  require  that  ^';(T)  and  ?'u(P)  have 
the  same  signature  as  T\  it  is  also  possible  to  allow  conservative  approximations  that  can 
change  the  signature  of  a  trace  structure,  but  that  is  beyond  the  scope  of  this  thesis. 

As  an  example,  consider  the  verification  problem 

pToj{A){T,  II  T2)  C  T, 

where  Ti,  T2  and  T  are  trace  structures  in  T.  This  corresponds  to  checking  whether  an 
implementation  consisting  of  two  components  Ti  and  T2  (along  with  some  internal  signals 
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that  are  removed  by  the  projection  operation)  satisfies  the  specification  T.  By  definition,  if  ^ 
is  a  conservative  approximation,  then  showing 

pToj{A){%{T,)\\%{T2))C^i{T) 

is  sufficient  to  show  that  the  original  implementation  satisfies  its  specification.  Thus,  the  ver¬ 
ification  can  be  done  in  A'c,  where  it  is  presumably  more  efficient  than  in  Ac-  A  conservative 
approximation  guarantees  that  doing  the  verification  in  this  way  will  not  lead  to  a  false  positive 
result,  although  false  negatives  are  possible  depending  on  how  the  approximation  is  chosen. 
The  following  definition  formalizes  the  notion  of  a  conservative  approximation. 

Definition  2.34.  Let  Ac  =  [CciT]  and  A!q  =  {Cq,T')  be  trace  structure  algebras,  and  let 
and  be  functions  from  T  to  T' .  \^e  say  ^  =  ($/,  $„)  is  a  conservative  approximation 
from  Ac  to  Aq  iff  the  following  conditions  are  satisfied. 

•  For  all  T  €  T,  the  signature  of  $;(T)  and  ^'u(T)  is  7. 

•  Let  E  be  an  arbitrary  expression  potentially  involving  parallel  composition,  projec¬ 
tion  and  renaming  of  trace  structures  in  T.  Let  E'  be  formed  from  E  be  replacing 
every  instance  of  each  trace  structure  T  with  $u(r).  If  Tj  is  a  trace  structure  in  T, 
and  E'  C  ^i{T:),  then  E  CTi. 

Usually  a  conservative  approximation  $  =  has  the  additional  property  that 

C  %{T)  for  all  T,  but  this  is  not  required.  .Also,  having  and  be  monotonic 
(relative  to  the  containment  ordering  on  trace  structures)  is  common  but  not  required. 

The  simplest  example  of  a  conservative  approximation  is  ^’u)  is 

^Kr)  =  (7,0) 

%iT)  =  {j,B'c{A)). 

This  definition  of  ^  clearly  satisfies  the  first  condition  of  definition  2.34.  To  see  that  it  sat¬ 
isfies  the  second  condition,  notice  that  the  set  of  possible  traces  of  E'  and  ?'((ri)  will  be  the 
universal  set  and  the  empty  set,  respectively;  thus,  it  is  never  true  that  C  'i!i{Ti).  This  par¬ 
ticular  conservative  approximation  is  not  useful,  however,  because  it  always  leads  to  a  negative 
verification  result;  it  cannot  be  used  to  show  that  an  implementation  satisfies  a  specification. 
In  section  2.4.2,  we  will  show  how  a  conservative  approximation  can  be  constructed  using  a 
homomorphism  from  one  trace  algebra  to  another.  We  give  a  concrete  example  of  such  a 
conservative  approximation  in  section  3.3.1. 
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The  remainder  of  this  section  proves  theorems  that  provide  suiTicient  conditions  for  showing 
thax  some  is  a  conservative  approximation.  The  first  theorem  can  be  understood  by  recalling 
the  example  verification  problem  described  above,  and  by  considering  the  following  chain  of 
imphcations: 

proj{A){%{T,)\\%{T,))Cmi{T) 

assuming  %{Ti  ]|  Tj)  C  %{Ti)  i|  %{T2) 

=>  proj{A){%{Tr\\T2))C^Ji{T) 

assuming  «'„(proj(.4)(T'))  C  proj{A){'I>^{T')) 

^  %{proj{A){T,  li  Tj))  C 
assuming  %{T')  C  ^/(T)  implies  T'  C  T 
=>  proj{A)iT,\\T2)CT. 

The  theorem  formalizes  the  above  three  assumptions  (along  with  a  fourth  assumption  for 
the  renaming  operation)  and  proves  that  they  are  sufficient  to  show  that  ^  is  a  conservative 
approximation. 

In  addition,  we  show  that  if  provides  looser  lower  and  upper  bounds  than 

a  conservative  approximation  {i.e.,  ^[{T)  C  <i>i{T)  and  %{T)  C  %{T)  for  aU  T),  then 
is  also  a  conservative  approximation.  Also,  the  functional  composition  of  two  conservative 
approximations  yields  another  conserva*^We  approximation. 

Theorem  2.35.  Let  Ac  ~  {Cc,T)  and  A'^  =  (C^,T')  be  trace  structure  algebras,  and  let 
and  be  functions  .  -m  T  to  T'.  Assume  that  for  all  T  £  T,  the  signature  of  5';(T) 
and  ^u(T)  is  7.  If  the  following  propositions  A1  through  .A4  are  satisfied  for  all  trace 
structures  T,  Tj  and  T2  in  T,  then  is  a  conservative  approximation. 

Al.  «'u(Ti|:T2)C«r„(Ti)l|«r^(T2). 

A2.  %{proj{B){T))  C  proj{B){%{T)). 

A3.  5'u(rename(7')(T))  C  ^ename{r)[^^^[T)). 


A4.  If  %{7\)  C  4r,(T2),  then  T,  C  T2. 
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Proof.  Let  E  be  an  arbitrary  expression  potential!}''  involving  parallel  composition,  projec¬ 
tion  and  renaming  of  trace  structures  in  T.  Let  E'  be  formed  from  E  be  replacing  every 
instance  of  each  trace  structure  T  with  ^iT).  Let  T  be  a  trace  structure  in  T,  and 
assume  E'  C  '$i[Ti).  We  must  show  that  E  CTi. 

Using  Al,  A2  and  A3,  it  is  easy  to  prove  by  induction  over  the  structure  of  E  that 
c  E'.  Therefore.  C  By  A4,  E  C  T^. 


□ 

Theorem  2.36.  Let  Ac  =  (Cc,T)  and  A!c  =  {C'q.T')  be  trace  structure  algebras,  and  let 
be  a  conservative  approximation  from  Ac  to  A!c-  If  is 

such  that  «r;(T)  C  ^r,(T)  and  C  %{T)  for  all  T  6  T,  then  5''  is  a  conservative 

appro:.imation. 

Proof.  Clearly,  for  all  T  €  T,  the  signature  of  %{T)  and  ^',^(7’)  is  7.  Let  E  be  an  arbitrary 
expression  potentially  involving  parallel  composition,  projection  and  renaming  of  trace 
structures  in  T .  Let  E'  be  formed  from  E  be  replacing  every  instance  of  each  trace 
structure  T  with  ^'u(T),  and  let  E"  be  similarly  formed  from  E  by  using  Let  Ti  be 
a  trace  structure  in  T,  and  assume  E"  C  ^[(Ti).  We  must  show  that  E  ZTi. 

Recall  that  by  theorem  2.26,  parallel  composition,  projection  and  renaming  are  mono¬ 
tonic  with  respect  to  trace  structure  containment.  Thus,  E'  C  E",  since  %{T)  C  %{T) 
for  every  T^.  This  impHes  E'  C  since  E"  C  and  C  There¬ 

fore,  E  C  Ti,  since  is  a  conservative  approximation. 


Theorem  2.37.  Let  Ac  =  {Cc,T),  A'c  =  (C^,T')  and  A'^  =  (C^,r")  be  trace  structure 
algebras.  Also,  let  and  be  conservative  approximations  from 

Ac  to  A(^  and  from  A(>  to  A'^,  respectively.  Then  is  a  conservative 

approximation  from  ,4c  to  A'c,  where 

r/{T)  =  r,{9i{T)) 

C(7’)  =  K{%{T)). 


2.4.  CONSERX^TIVE  APPROXIMATIONS 


45 


Proof.  Clearly,  for  all  T  6  T,  the  signature  of  and  is  7.  Let  E  be  an  arbitrary 

expression  potentially  involving  parallel  composition,  projection  and  renaming  of  trace 
structures  in  T .  Let  E'  be  formed  from  E  be  replacing  every  instance  of  each  trace 
structure  T  v.dth  5'u(T'),  and  let  E"  be  similarly  formed  from  E  by  using  5'".  Let  Ti  be 
a  trace  structure  in  T,  and  assume  E"  C  We  must  show  that  E  ZTi. 

By  the  definition  of  and  since  is  a  conservative  approximation,  we  know  that 
E'  C  Therefore.  E  ZT,  ,  since  $  is  a  conservative  approximation. 

□ 

2.4.1  Homomorphisms  on  Trace  Algebras 

We  can  define  the  notions  of  homomorphisms  and  isomorphisms  between  trace  algebras  A 
homomorphism  commutes  with  rename  and  proy,  also,  if  a;  is  a  trace  with  alphabet  .4,  then  a 
homomorphism  maps  a:  to  a  trace  with  alphabet  A.  Thus,  our  definition  of  a  homomorphism 
is  quite  standard.  We  will  show  in  the  next  section  how  homomorphisms  can  be  used  to 
construct  conservative  approximations.  An  isomorphism  is  a  homomorphism  that  is  also  a 
bijection.  It  is  also  possible  to  allow  homomorphisms  that  can  change  the  alphabet  of  a  trace, 
but  that  is  beyond  the  scope  of  this  thesis. 

Definition  2.38.  Let  Cc  and  be  trace  algebras.  Let  /i  be  a  function  from  Be  to 

such  that  for  all  alphabets  .4,  if  x  6  Bc{A),  then  h{x)  €  B'c{A).  The  function  /i  is  a 
homomorphism  from  Cc  to  C'q  iff 

/i(rename(r)(x))  =  rename(r)(/i(x)), 
h{proj{B){x))  =  proj{B){h{x)). 

Chapter  3  has  several  examples  of  homomorphisms  between  trace  algebras.  Here  is  a  simple 
example  involving  two  of  the  trace  algebras  described  in  section  2.2.1.  For  all  alphabets  .4,  let 
h  map  traces  in  A*  to  traces  in  2^  such  that 

h{x)  =  {a  :  3n  [a  =  x(n)]}. 

It  is  easy  to  show  that  his  a.  homomorphism.  Applying  /i  to  a  trace  abstracts  away  information 
about  the  order  of  events;  all  that  remains  is  the  set  of  actions  that  occurred  one  or  more  times. 

Definition  2.39.  A  homomorphism  from  Cc  to  C'^  is  an  isomorphism  iff  it  is  a  bijection.  Cc 
are  Cq  isomorphic  iff  there  exists  an  isomorphism  from  Cc  to  Cq. 
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Clearly  if  h  is  an  isomorphism,  then  so  is  Also,  an  isomorphism  on  trace  algebras 
induces  an  isomorphism  on  trace  structure  algebras,  as  follows. 

Corollary  2.40.  Let  h  be  an  isomorphism  from  Cc  to  Let  Ac  =  (Cc,T)  and  A'q  = 
be  trace  structure  algebras  such  that 

(7,P)eT  =>  (j,h(P))€r 
(7,p')eT'  3(7,P)eTlP'  =  h(P)]. 

Then  Ac  and  A'^^  are  isomorphic. 

2.4.2  Approximations  Induced  by  Homomorphisms 

Let  h  he  a  trace  algebra  homomorphism  from  Cc  to  and  let  x  and  x'  be  traces  in  Cc 
and  C^,  respectively,  such  that  k(x)  =  x'.  Intuitivel}’,  the  trace  x'  is  an  abstraction  of  any 
trace  y  such  that  h{y)  =  x'.  Thus,  x'  can  be  thought  of  as  representing  the  set  of  aJl  such  y. 
Similarly,  u,  set  A'  of  traces  in  can  be  thought  of  as  representing  the  largest  set  such 
that  h{Y)  =  A”',  where  h  is  naturally  extended  to  sets  of  traces.  If  h{X)  =  X',  then  A'  C 
so  A  represents  a  kind  of  upper  bound  on  the  set  A’.  This  motivates  using  the  function 
such  that 

%iT)  =  {7,h{P)) 

as  the  upper  bound  in  a  conservative  approximation  from  a  trace  structure  algebra  over  Cc  to 
a  trace  structure  algebra  over  A  sufficient  condition  for  a  corresponding  lower  bound  is: 
if  X  ^  P,  then  /i(x)  is  not  in  the  set  of  possible  traces  of  Th:‘^  leads  to  the  definition 

^i{T)  =  {7,h{P)  -  h{Bc{A)  -  P)). 

The  conservative  approximation  is  an  example  of  a  conservative  approximation 

induced  by  h,  which  is  formalized  in  the  definition  below  using  a  slightly  tighter  lower  bound 
for  Using  this  concept,  if  one  proves  that  /i  is  a  homomorphism  between  two  trace  algebras 
(which  is  often  quite  easy),  then  one  obtains  a  conservative  approximation  between  trace  struc¬ 
tures  with  no  additional  effort.  A  conservative  approximation  induced  by  a  homomorphism  h 
is  closely  related  to  homomorphisms  on  w-automata  [57]. 
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Definition  2.41.  Let  h  he  a  homomorphism  from  Cc  to  C'q,  and  let  Ac  =  {Cc,T)  and 

be  trace  structure  algebras.  We  naturally  extend  h  to  sets  of  traces. 
Assume  and  are  functions  from  T  to  T'  such  that 

%(T)  D  (7,h(P)) 

W  c  (j,h(P)-h(r-p)), 

where 

r  =  [j{X  c  Bc{A)  :  (7,X)  6  T  A  h{X)  C  h{P)}. 

By  lemma  2.42  (below),  $  =  is  a  conservative  approximation  from  Ac  to  AIq^ 

which  we  call  a  conservative  approximation  induced  by  h  from  Ac  to  A!^.  If  the  two  set 
inequalities  above  are  replaced  by  equalities,  then  is  called  the  tightest  conservative 
approximation  induced  by  h  from  Ac  to  A'q. 

Notice  that  h[P)  —  h{Bc{A)  —  P)  is  a  subset  of  h{P)  —  h{Y  —  P),  so 

^u(T)  =  {^,h{P)) 

^i{T)  =  (7,/i(P)-/i(Bc(A)-P)) 

(as  described  at  the  beginning  of  this  section)  is  an  example  of  a  conservative  approximation 
induced  by  h.  This  conservative  approximation  is  independent  of  T ;  the  tightest  conservative 
approximation  induced  by  h  depends  on  both  h  and  T. 

Definition  2.41  defines  both  the  class  of  conservative  approximations  induced  by  a  ho¬ 
momorphism  h  and  a  distinguished  approximation  in  that  class,  which  we  call  the  tightest 
conservative  approximation  induced  by  h.  It  is  obvious  that  this  distinguished  approximation 
is  in  fact  the  tightest  approximation  within  the  class  we  defined.  That  is,  if  ^  is  the  tightest 
conservative  approximation  induced  by  h  and  is  any  conservative  approximation  in  induced 
by  h,  then  ^'J(T’)  C  '^i{T)  and  T'u(r)  C  'J'(T)  for  any  trace  structure  T. 

However,  it  is  not  immediately  clear  that  class  of  approximations  we  defined  includes  all 
conservative  approximations  that  might  intuitively  be  "induced”  by  h.  If  there  is  a  larger  class 
of  conservative  approximations  “induced”  by  h,  then  it  might  include  an  approximation  that  is 
tighter  then  the  tightest  one  given  in  definition  2.41.  We  provide  evidence  that  this  is  not  the 
case  in  section  4.4,  where  we  consider  the  inverse  of  a  conservative  approximation.  This  result 
depends  on  the  particular  set  Y  used  in  definition  2.41,  and  would  not  be  true  if  we  replaced 
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1  by  a  simpler  expression  such  as  Bc{A).  With  our  current  understanding,  we  cannot  give 
any  intuitive  motivation  for  the  definition  of  1  ;  it  is  simply  the  smallest  set  (which  leads  to 
the  largest  ^i{T))  we  could  find  that  made  the  proof  of  lemma  2.42  go  through. 

It  is  straightforward  to  take  the  general  notion  of  a  conservative  approximation  induced  by  a 
homomorphism,  and  apply  it  to  specific  models.  Simply  construct  trace  algebras  C  and  C ,  and 
a  homomorphism  h  from  C  to  C.  Recall  that  these  trace  algebras  act  as  models  of  individual 
behaviors.  Using  the  results  described  so  far  in  this  chapter  (without  any  additional  proofs), 
one  can  construct  the  trace  structure  algebras  A  =  {C,  T)  and  A'  =  {C ,  T'),  and  a  conservative 
approximation  induced  by  h  (where  T  and  T'  are  the  sets  of  a,U  trace  structures  over  C  and 
C,  respectively).  Thus,  one  need  only  construct  two  behavior  models  and  a  homomorphism 
between  them  to  obtain  two  trace  structure  models  along  with  a  conservative  approximation 
between  the  trace  structure  models. 

The  remainder  of  this  section  proves  the  claim  made  in  definition  2.41:  a  conservative 
approximation  induced  by  a  homomorphism  is  in  fact  a  conservative  approximation. 

Lemma  2.42.  In  definition  2.41,  ^  is  a  conservative  approximation. 

Proof.  By  definition  2.41,  is  such  that 

^u(T)  D  (7,^^) 

«'/(T)  C  {y^h{P)  -h{Y  -  P)), 

where 

r  =  s  Bc{A)  ;  (7.X)  €  T  A  hiX)  C  h{P)}. 


By  theorem  2.36,  the  current  lemma  is  satisfied  if  is  a  conservative  approximation 
when  the  two  set  inequalities  above  are  replaced  by  equalities.  Thus,  we  need  only 
consider  the  case  where 

^4T)  =  (7,M^)) 

<i!i{T)  =  {j,hiP)~h{Y  -  P)). 

By  theorem  2.35,  we  can  show  that  ^  is  a  conservative  approximation  by  showing  that 
it  satisfies  A1  through  A4. 
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Lemma  2.43.  satisfies  Al. 

Proof.  Let  T  =  Ti  ||  T2;  then 

P  =  {x  e  Bc{A)  :  proj{Ai){x)  €  Pi  A  proj(A2)(x)  €  P2}. 

Let  r  =  %{T,)  II  t„(T2);  then 

P'  =  {x'  €  B'ciA)  :  proj{Ai){x')  €  /i(Pi)  A  proj(A2)(x')  6  M^2)}. 

We  must  show  that  h(P)  C  P'. 

h{P)  =  {h{x)  €  B'ciA)  :  proj(Ai)(x)  6  Pi  A  proj(A2)(x)  €  P2} 

C  {h(x)  €  B'ciA)  :  hiprojiA,)ix))  6  HP,) 

A  /i(proj(A2)(x))  €  /i(P2)} 
since  h  is  a  homomorphism 
=  {h(x)  €  B'ciA)  :  proj(Ai)(/i(x))  6  HP,) 

Aproj(A2)(h(x))  €  /i(P2)} 

C  {x'  e  B'ciA)  :  proj(Ai)(x')  6  MA)  A  proi(A2)(x')  6  HP2)} 


a 

Lemma  2.44.  $  satisfies  A2. 

Proof. 

/i(proj(P)(P))  =  {h(proj(P)(x)) :  x  6  P} 
since  h  is  a  homomorphism 
=  {proj(P)(h(x))  :  X  6  P} 
=  proj(P)({M®)  :  ®  €  P}) 
=  proj(P)(MP)). 

□ 


Lemma  2.45.  $  satisfies  A3. 
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Proof. 

h{rename{r){P))  =  {h{renajne{r){x))  :  x  E  P} 
since  /i  is  a  homomorphism 
=  {rename(7')(/i(i))  :  x  E  P} 

=  rename{r)({h{x)  :  x  E  P}) 

=  rename(r)(/i(P)). 

□ 

Lemma  2.46.  ^  satisfies  A4. 

Proof.  Assume  ^^(Ti)  C  ^i(T2).  Then  Ai  =  A2;  let  .4  =  4i.  We  must  show  that 
Pi  C  P2. 

Let  X  E  Pi  and 

=  [j{x  c  Bc{A)  :  (7,X)  €  T  A  h{X)  C  hiP.)}. 

By  the  definition  of  the  assumption  %{Ti)  C  ^[{Tz)  implies  h{Pi)  C  h{P2)  - 
h{Y  -  P2).  Thus,  by  tl.e  definition  of  Y,  and  since  (7, Pi)  6  T,  we  know  Pj  C  Y. 
Therefore,  x  E  T. 

We  show  that  Pi  C  P2  with  the  following  series  of  implications: 

I  G  Pi  =>  h{x)  E  h{Pi) 

since  /i(Pi)  C  h{P2)  -  h{Y  -  Pj) 

=>  h{x)  E  h{P2)  -  h{Y  -  P2) 

=>  h{x)^h{Y-P2) 
since  x  E  Y  -  P2  implies  h{x)  E  h{Y  -  P,) 

=>  X  ^Y  -  P2 
since  x  E  Y 
=>  xE  P2. 


□ 
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2.5  Summary 

It  is  worthwhile  to  summarize  the  results  of  this  chapter  and  to  described  how  they  are  applied 
and  extended  in  the  remainder  of  the  thesis.  We  began  by  defining  concurrency  algebra,  an 
abstract  algebra  in  which  each  element  of  the  domain  represents  an  agent  (def.  2.6,  p.  23). 
.4ssociated  with  each  agent  is  a  signature,  which  is  a  set  of  input  symbols  along  with  a  (disjoint) 
set  of  output  symbols.  Each  of  these  symbols  might  represe  t  a  wire  in  a  circuit  or  message  that 
can  be  sent  between  communicating  processes,  etc.  The  union  of  the  inputs  and  the  outputs 
is  the  alphabet  of  a  signature.  A  concurrency  algebra  has  three  operations  on  agents:  parallel 
composition,  projection  and  renaming.  These  operations  must  satisfy  axioms  Cl  through  C9, 
the  axioms  of  concurrency  algebra.  These  axioms  formalize  certain  minimum  requirements 
that  any  agent  model  should  be  expected  to  satisfy. 

Concurrency  algebra  includes  no  notion  of  what  it  means  for  an  agent  to  satisfy  a  specifi¬ 
cation.  We  address  this  by  using  trace  set  containment,  which  is  a  generalization  of  standard 
verification  techniques  based  on  language  containment.  Each  agent  is  represented  by  a  trace 
structure,  which  is  an  ordered  pair  of  a  signature  7  and  a  set  P  of  possible  traces.  Each  trace 
in  P  represents  a  possible  behavior  of  the  agent.  Both  implementations  and  specifications  are 
represented  by  trace  structures.  One  trace  structure  satisfies  the  specification  given  by  another 
trace  structure  iff  the  set  of  possible  traces  of  the  first  is  contained  in  the  set  of  possible  traces 
of  the  second. 

The  above  description  of  trace  structures  does  not  say  what  kinds  of  mathematical  objects 
are  used  as  traces.  In  normal  language  containment  methods,  a  trace  is  a  finite  or  infinite 
sequence,  so  a  set  of  traces  is  a  formal  language.  We  want  to  be  much  more  general  than  this, 
because  we  do  not  want  our  use  of  trace  structures  to  limit  the  kinds  of  real-time  models  we 
can  consider.  On  the  other  hand,  we  do  not  want  to  allow  completely  arbitrary  traces  because 
we  want  to  have  general  theorems  that  are  true  of  all  trace  structures  (so  the  theorems  do  not 
have  to  be  reproven  every  time  a  new  class  of  trace  structures  is  constructed). 

We  satisfy  these  constraints  by  using  the  idea  of  a  trace  algebra.  A  trace  algebra  (def.  4.20, 
p.  86)  is  an  abstract  algebra  with  a  set  of  traces  as  its  domain,  where  each  trace  is  interpreted 
as  an  abstraction  of  a  physical  behavior.  Traces  are  classified  according  to  their  alphabet. 
There  are  two  operations  in  a  trace  algebra:  projection  and  renaming.  These  operations  must 
satisfy  axioms  T1  through  T8,  the  axioms  of  trace  algebra.  Other  than  these  axioms,  no  other 
restrictions  are  placed  on  what  kinds  of  mathematical  objects  can  be  used  as  traces  in  a  trace 
algebra. 
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Once  trace  algebra  is  formalized,  it  is"  possible  to  formalize  trace  structures.  The  set  of 
trace  structures  (def.  2.15,  p.  33)  over  a  trace  algebra  C  is  the  set  of  ordered  pairs  (7,  P),  where 
7  is  a  signature  and  P  is  a  subset  of  the  traces  of  C  with  the  same  alphabet  as  7.  A  trace 
structure  algebra  is  an  ordered  pair  A  =  (C.T),  where  l  is  a  trace  algebra  and  T  is  a  subset 
of  the  set  of  trace  structures  over  C.  The  operations  of  parallel  composition,  projection  and 
renaming  are  defined  on  trace  structures  in  T  using  the  operations  of  projection  and  renaming 
on  individual  traces  in  C  (def.  2.18,  def.  2.19  and  def.  2.20,  p  33).  The  set  of  trace  structures 
T  must  be  closed  under  these  operations.  The  axioms  of  trace  algebra  are  quite  weak,  but 
they  are  strong  enough  to  guarantee  that  the  operations  on  trace  structures  satisfy  the  axioms 
of  concurrency  algebra.  Thus,  a  trace  structure  algebra  is  a  special  case  of  a  concurrency 
algebra. 

Using  these  ideas  to  construct  agent  mouels  only  requires  constructing  a  domain  of  traces, 
along  with  projection  and  renaming  operations,  and  proving  that  they  satisfy  the  axioms 
of  trace  algebra.  A  trace  structure  algebra,  which  is  guaranteed  to  satisfy  the  axioms  of 
concurrency  algebra,  can  be  constructed  from  the  trace  algebra  without  having  to  prove  any 
additional  theorems.  Thus^  our  general  results  greatly  simplify  the  task  of  constructing  new 
agent  models. 

One  of  the  uses  of  being  able  to  easily  build  new  process  models  is  to  study  the  relation¬ 
ships  between  models  that  can  be  efficiently  mechanized  and  models  that  accurately  represent 
physical  reality.  Ideally,  correctness  proofs  (of  trace  set  containment)  in  the  efficient  model 
would  be  logically  equivalent  to  correctness  proofs  in  the  accurat**  model,  but  this  is  rarely  the 
case.  The  best  we  can  usually  do  is  to  have  correctness  in  the  efficient  model  imply  correct¬ 
ness  in  the  accurate  model.  This  is  formalized  by  using  a  conservative  approximation  from  the 
accurate  model  to  the  efficient  model  (def.  2.34,  p.  42).  Let  Ac  =  (Cc,T)  and  A'c  =  {C'c.T') 
be  trace  .structure  algebras.  A  conservative  approximation  from  Ac  to  is  an  ordered  pair 
^  =  (5';,5'u),  where  and  ’I'u  are  functions  from  T  to  T'.  For  a  given  trace  structure  T 
in  Ac.,  the  trace  structure  ^i{T)  is  a  kind  of  lower  bound  of  T,  while  5'u(T)  is  an  upper 
bound  (relative  to  trace  set  containment).  By  definition,  if  a  verification  problem  in  Cc  is 
converted  into  a  verification  problem  in  C'q  by  applying  a  conservative  approximation  5^,  then 
a  correctness  proof  in  the  latter  problem  implies  a  correctness  result  in  the  former  problem. 

A  general  method  for  constructing  conservative  approximations  involves  homomorphisms 
on  trace  algebras  (def.  2.38,  p.  45).  A  homomorphism  from  C  to  C  is  just  a  function  from  the 
traces  of  C  to  the  traces  of  C  that  satisfies  the  standard  homomorphism  laws  for  the  operations 
of  trace  algebra.  A  conservative  approximation  induced  by  h  (def.  2.41,  p.  46)  is  a  conservative 
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approximation  from  Ac  =  {Cc,T)  to  A'c  =  for  appropriate  T  and  T'. 

We  take  advantage  of  these  results  in  the  next  chapter,  where  we  show  that  a  continuous 
time  model  can  be  conservatively  approximated  by  a  discrete  time  model.  We  need  only 
construct  the  appropriate  trace  algebras  and  homomorphisms;  the  trace  structure  algebras 
and  the  conservative  approximations  are  obtained  without  any  additional  effort. 

The  conservative  approximation  defined  in  the  chapter  3  maps  to  a  discrete  time  model  that 
represents  simultaneity  explicitly,  which  can  make  the  model  more  expensive  to  automate.  We 
would  like  to  define  a  conservative  approximation  from  this  model  to  a  discrete  time  model  with 
interleaving  semantics.  Such  an  approximation  cannot  be  induced  Lorn  a  homomorphism,  so 
a  new  technique  for  constructing  conservative  approximations  is  needed.  In  chapter  4  we  show 
how  to  use  a  power  set  algebra  over  a  trace  algebra  (def.  4.1,  p.  77),  which  is  a  trace  algebra 
C  V  here  each  trace  in  (7  is  a  set  of  traces  in  some  other  trace  algebra  C.  The  operations 
on  traces  in  C  are  the  natural  extension  to  sets  of  the  corresponding  operations  in  C.  For 
example,  C  might  have  interleaved  traces  while  a  trace  in  C  might  be  the  set  of  interleavings 
of  a  trace  with  explicit  simultaneity.  Thus,  C  would  be  isomorphic  to  a  more  conventional 
representation  of  explicit  simultaneity.  The  relationship  between  C  and  C‘  ran  be  used  to 
construct  a  conservative  approximation  from  A  =  (C,  T)  to  A'  =  'C'.T')  (def.  4.2,  p.  78). 
This  technique  is  used  to  complete  the  conservative  approximatioi'  uom  continuous  time  to 
discrete  time  with  interleaving  semantics. 
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Chapter  3 

Approximating  Continuous  Time 


Methods  for  modeling  and  verifying  real-time  systems  can  be  classified  according  to  the  type  of 
timing  model  that  is  used.  Continuous  time  allows  more  accurate  modeling  of  physical  reality. 
Discrete  time  models  give  an  approximation  to  reality  that  can  be  automated  more  efficiently. 
This  chapter  develops  several  different  trace  structure  algebras  for  modeling  real-time  systems, 
and  describes  conservative  approximations  from  continuous  time  to  discrete  time. 


3.1  Timing  Models 

In  this  chapter,  we  consider  four  different  kinds  of  timing  models: 

•  Continuous  time, 

•  Quantized  time  with  simultaneity, 

•  Quantized  time  with  interleaving,  and 

•  Synchronous  time. 

These  models  are  informally  described  in  this  section;  the  formal  definitions  are  given  in  the 
remainder  of  this  chapter  and  in  the  next  chapter.  The  classification  is  similar  to  that  used  by 
Alur  and  DiU  [2],  except  that  they  did  not  differentiate  the  two  quantized  time  models;  they 
called  them  the  fictitious  clock  model.  They  also  used  discrete  to  refer  to  what  we  call  the 
synchronous  model.  We  say  a  timing  model  is  discrete  if  it  is  either  synchronous  or  quantized. 

For  each  of  the  four  kinds  of  timing  models,  we  can  construct  trace  algebras  with  ap¬ 
propriate  domains  of  traces.  Using  the  results  of  the  previous  chapter,  we  can  construct 
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corresponding  trace  structure  algebras  and  conservative  approximations  between  them.  Thus, 
we  obtain  a  hierarchy  of  domains  of  agent  models  at  different  levels  of  abstraction.  In  this  sec¬ 
tion,  we  give  an  informal  overview  of  the  trace  algebras  and  the  conservative  approximations 
that  we  use. 

Continuous  time  is  our  most  accurate  and  realistic  timing  model.  The  time  of  occurrence 
of  each  event  is  represented  by  a  real  number.  As  an  example,  consider  the  continuous  time 
trace 

I  =  {(a, 0.2),  (6.2.3),  (c,2.8),  (d,2.8),  (e,5.3)}. 

The  behavior  is  represented  by  a  set  of  events:  each  event  is  an  ordered  pair  designating  an 
action  and  the  time  at  which  the  action  occurred.  The  order  in  which  events  occurred  can  be 
derived  from  the  time  stamps. 

In  a  continuous  time  model,  it  is  possible  for  an  infinite  number  of  events  to  occur  in  a 
finite  period  of  time  (Zeno  s  paradox).  Such  behaviors  are  not  produced  bv  the  agents  we  wish 
to  model,  so  we  exclude  them  from  the  trace  algebras  we  use. 

The  synchronous  time  model  is  the  least  accurate  of  the  four  types  of  models.  In  the 
synchronous  time  model,  the  time  at  which  events  occur  is  represented  by  integers,  which  can 
be  derived  by  truncating  the  real  numbered  time  stamps  in  the  continuous  time  model.  Thus, 
we  can  define  a  homomorphism  h  from  continuous  time  traces  to  synchronous  time  traces  such 
that 


/i(x)  =  {(a,0),  (6,2),  (c,2).  (d,2),  (e,5)}. 

Notice  that  in  the  synchronous  time  model,  information  about  the  order  of  occurrence  of  the 
6  event  and  the  c  event  is  lost,  as  is  information  about  the  simultaneity  of  c  and  d.  This  is 
equivalent  to  assuming  that  all  events  that  occur  sometime  during  a  given  unit  length  period 
all  occur  simultaneously  at  some  time  point  during  that  period.  Since  /i  is  a  homomorphism, 
there  are  conservative  approximations  induced  by  h  from  continuous  time  trace  structures  to 
synchronous  time  trace  structures. 

In  some  cases,  we  wish  to  truncate  time  stamps  to  integers,  but  also  preserve  information 
about  the  order  and  simultaneity  of  events.  To  do  this,  we  begin  by  modeling  continuous  time 
behaviors  with  a  different,  but  provably  isomorphic,  representation.  For  example,  the  example 
behavior  x  described  above  can  be  represented  by  the  sequence 

y  =  (({a},0.2),  ({6},2.3),  ({c,d},2.8),  ({e},5.3)). 
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Here  a  behavior  is  represented  by  a  sequence  of  ordered  pairs;  each  pair  contains  a  non-empty 
set  of  actions  (non-singleton  sets  represent  simultaneous  events)  and  a  time  stamp  for  the 
actions.  The  time  stamps  are  real-valued,  and  must  be  (strictly)  increasing.  Notice  that  the 
order  of  events,  and  whether  or  not  events  are  simultaneous,  is  represented  more  explicitly 
by  the  trace  y  than  the  trace  i,  even  though  they  both  represent  the  same  behavior  at  the 
same  level  of  abstraction.  The  isomorphism  between  these  two  kinds  of  continuous  time  traces 
depends  on  our  assumption  that  only  a  finite  number  of  events  can  occur  in  a  finite  period  of 
time. 

We  can  define  a  function  h'  that  takes  traces  like  y  and  truncates  the  time  stamps: 

'•'(!/)  =  {({»}, 0).  (W.2),  ({c,<i},2).({i}.5)). 

Information  about  the  relative  order  of  the  the  b  event  and  the  c  event  is  preserved  by  h' 
because  this  information  is  represented  explicitly  in  the  trace  y.  The  simultaneity  of  the  c 
event  and  the  d  event  is  also  reflected  in  h'{y).  The  trace  h'[y)  is  a  trace  in  a  quantized  time 
with  simultaneity  model,  and  h'  is  a  homomorphism  from  continuous  time  to  quantized  time 
with  simultaneity.  In  this  model,  a  trace  is  a  sequence  of  ordered  pairs;  each  pair  contains  a 
non-empty  set  of  actions  and  a  time  stamp  for  the  actions.  The  time  stamps  are  integer- valued, 
and  must  be  (non-strictly)  increasing.  As  with  synchronous  time,  the  homomorphism  h' 
induces  conservative  approximations  from  continuous  time  trace  structures  to  trace  structures 
for  quantized  time  with  simultaneity.  Quantized  time  models  are  of  intermediate  accuracy 
between  the  synchronous  and  continuous  time  models. 

In  quantized  time  with  interleaving,  simultaneity  is  modeled  with  nondeterminism.  Thus, 
the  continuous  time  behavior  x  is  represented  by  two  traces: 

x'  =  ((a,0),  (6,2),(c,2),  (d,2),(x,5)) 
x"  =  ((a,0),(6,2),  (d,2),(c,2),  (x,5)). 

It  is  possible  to  construct  a  conservative  approximation  from  quantized  time  with  simultaneity 
to  quantized  time  with  interleaving.  However,  it  is  not  a  conservative  approximation  induced 
by  a  homomorphism.  It  is  an  example  of  a  conservative  approximation  induced  by  a  power 
set  algebra  (def.  4.2,  p.  78)  and  it  depends  on  the  way  that  traces  with  simultaneity  can  be 
represented  by  sets  of  interleaved  traces. 

The  traces  x'  and  x"  can  be  equivalently  represented  by  infinite  strings  that  include  a 
special  symbol  gs.  Each  occurrence  of  g>  represents  the  passage  of  one  unit  of  time.  Thus,  the 
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traces  x'  and  x”  are  equivalent  to 

y'  —  aifipbcdifipipxifitp  •  ■  • 

y"  =  atfipbdcipipipxipif  •  •  • . 

Each  trace  has  an  infinite  number  of  ip  to  represent  the  passage  of  an  unbounded  amount  of 
time  (the  normal  interpretation  of  a  complete  trace).  If  we  restrict  our  attention  to  safetj^ 
properties,  then  only  finite  prefixes  of  these  traces  need  be  considered.  The  restriction  to 
safety  properties  can  be  formalized  in  a  general  way  using  partial  traces  and  a  conservative 
approximation  induced  by  a  power  set  algebra  (a  complete  trace  is  represented  by  the  set  of 
all  partial  traces  that  are  prefixes  of  it).  Thus,  b}'  a  series  of  conservative  approximations 
and  isomorphisms  between  trace  structure  algebras,  we  go  from  a  continuous  time  model  to 
a  quantized  time  with  interleaving  model  that  can  be  easily  implemented  using  normal  finite 
automata. 


3.2  Modeling  Continuous  Time 

We  model  continuous  time  behaviors  with  two  different,  but  isomorphic,  trace  algebras: 
(“continuous  time  unordered”)  and  (“continuous  time  ordered”).  Having  two  repre¬ 

sentations  simphfies  the  construction  of  conservative  approximations  from  continuous  time  to 
discrete  time.  In  particular,  is  used  in  the  mapping  to  synchronous  time,  and  is 

used  in  the  mapping  to  quantized  time  with  simultaneity. 

In  this  section  we  describe  ,  which  uses  traces  consisting  of  a  (possibly  infinite)  set 
of  events,  where  each  event  is  an  ordered  pair  {a,t)  in  A  x  3?’"  that  represents  the  occurrence 
of  action  a  at  time  t.  Only  a  finite  number  of  actions  are  allowed  in  any  finite  period  of  time. 
The  order  of  events  is  implicit  and  can  be  determined  from  their  time  stamps.  For  this  reason, 
the  model  is  called  unordered. 

Once  is  shown  to  be  a  trace  algebra,  it  is  possible  to  construct  the  trace  structure 

algebra  where  is  the  set  of  all  trace  structures  ever  . 

The  construction  makes  use  of  the  results  of  the  previous  chapter,  and  does  not  involve  any 
additional  proofs.  This  is  an  example  of  how  constructing  a  trace  algebra  is  all  that  is  needed 
to  construct  a  trace  structure  algebra  which  serves  as  a  domain  of  agent  models. 

The  remainder  of  the  section  formalizes  the  definition  of  and  proves  that  it  is  a  trace 

algebra. 
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Note  3.1.  The  definition  of  a  trace  algebra  is  relative  to  a  set  of  signals  W  (for  example,  see 
the  definition  of  Cq,  def.  2.P,  p.  27).  In  the  sequel,  the  set  of  signals  W  will  be  implicit 
in  the  definitions  of  particular  trace  algebras.  The  phrase  “all  alphabets”  is  used  to  refer 
to  all  alphabets  over  14’. 

Definition  3.2.  We  define  the  trace  algebra  =  (Be, proj, rename)  as  follows.  For  all 

alphabets  A,  a  trace  x  in  Bc{A)  is  such  that  x  C  A  x  and  for  any  t  G  there  are 
only  a  finite  number  of  {a.t’)  G  x  such  that  t'  <  t.  If  x  G  Bc(-4),  then 

pToj{B){x)  =  {(a,i)  ;  (a,t)  G  a:  A  a  G  B} 
rename(r)(x)  =  {(r(a),t)  :  (a,  t)  G  a:}. 

Lemma  3.3.  is  a  trace  algebra. 

Proof.  To  show  that  is  a  trace  algebra,  we  must  show  that  it  satisfies  Tl  through  T8. 

We  only  consider  T4;  the  proofs  for  the  remaining  axioms  are  straightforward. 

Lemma  3.4.  satisfies  T4. 

Proof.  Let  x  and  x'  be  traces  in  Bc(*4)  and  Bc{A').  respectively.  Assume 
proj{A  n  A')(x)  =  proj{A  H  .4')(x'), 

and  let  A"  be  such  that  .4  U  A'  C  ,4".  We  must  show  that  there  exists  x"  G  Be (-4") 
such  that  x  —  proj{A){x")  and  x'  =  proj{A')[x"). 

Let  x"  =  (x  J  x').  Notice  that  x"  is  an  element  of  Be(-4"),  and 
proj(A)(x")  =  {(a,t)  :  (a.t)  G  x"  A  a  e  A} 
since  x"  =  x  J  x' 

=  {(a,t)  :  (a,t)  1=  X  A  a  £  A)  U  {(a,  t)  :  (a,  t)  G  a:'  A  a  G  A} 
since  x  G  Uc(A)  and  x'  G  Bc(.4') 

=  X  U  {(a,t)  ;  (a,t)  G  a:' A  a  G  (A  n  A')} 
since  proj{A  Pi  A')(x)  =  proj(A  fl  A')(x') 

=  X  U  {(a,t)  :  (a,t)  G  a;  A  a  G  (A  n  A')} 

=  X. 

Similarly,  x'  =  proj{A'){x").  Therefore,  x"  satisfies  T4. 
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□ 

□ 

Definition  3.5.  We  define  to  be  the  ordered  pair  where  is  the  set 

of  all  trace  structures  over  Cc^^\  By  theorem  2.27,  Aq'^^  is  a  trace  structure  algebra. 

3.3  Modeling  Synchronous  Time 

This  section  describes  a  trace  algebra  for  modeling  synchronous  time,  and  shows  how  this 
model  can  be  used  to  conservatively  approximate  continuous  time.  The  trace  algebra  of 
synchronous  time,  is  similar  to  except  that  real- valued  time  stamps  are  replaced 

by  integers.  We  define  a  homomorphism  h  from  to  that  truncates  the  values  of  the 
time  stamps  for  traces  in  Cq'^^ .  The  homomorphism  h  allows  us  to  construct  a  conservative 
approximation  induced  by  h  from  trace  structures  over  to  trace  structures  over 

This  approximation  is  intended  primarily  as  a  simple  example  to  illustrate  mappings  from 
continuous  time.  The  conservative  approximation  used  in  the  verification  algorithms  later  in 
the  thesis  are  based  on  quantized  time  rather  than  synchronous  time. 

One  effect  of  the  homomorphism  h  is  that  two  continuous  time  events  (a,  2.2)  and  (a,  2.7), 
for  example,  are  both  represented  by  a  single  synchronous  time  event  (a,  2).  Thus,  in  addition 
to  losing  information  about  the  exact  time  at  which  events  occur,  we  also  loose  information 
about  the  number  of  events  that  occur  in  a  given  unit  interval. 

Although  we  do  not  provide  the  details  here,  it  can  be  shown  that  is  isomorphic  to  a 
trace  algebra  in  which  a  trace  over  an  alphabet  A  is  an  infinite  sequence  x  over  2^.  In  such  a 
trace,  if  a  G  2:(n),  then  action  a  occurred  at  time  n.  The  representation  of  traces  in  that 
we  have  chosen  simplifies  the  homomorphism  (described  below)  from  to  . 

Definition  3.6.  We  define  the  trace  algebra  as  follows.  For  all  alphabets  A,  a  trace  x  in 
^c{A)  is  such  that  a:  C  A  x  The  definition  of  the  operations  on  traces  is  identical 
to  that  of  if  a;  e  Bc(A),  then 

proj(B)(x)  =  {(a,t)  :  (a,t)  e  X  A  a  e  B} 

rename(r)(a:)  =  {(r(a),t)  :  fa,t)  €  x}. 


Lemma  3.7.  is  a  trace  algebra. 
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Proof.  The  proof  is  analogous  lemma  3.3,  which  showed  that  is  a  trace  algebra. 

□ 

Definition  3.8.  We  define  to  be  the  ordered  pair  [Cp-  where  is  the  set  of 
aU  trace  structures  over  Cp .  By  theorem  2.27,  AP  is  a  trace  structure  algebra. 

3.3.1  Approximating  Continuous  Time 

In  this  section  we  describe  the  first  of  our  conservative  approximations  from  continuous  time 
to  discrete  time.  We  construct  the  conservative  approximation  by  first  defining  the  homomor¬ 
phism  h  from  CP^  to  CP  such  that 

h{x)  =  {(a,  ItJ)  :  (a,t)  G  x] 

(see  lemma  3.9  for  a  proof  that  h  is  a  homomorphism).  By  lemma  2.42,  h  induces  a  conservative 
approximation  from  trace  structures  over  CP^  to  trace  structures  over  CP .  This  is  an  example 
of  how  the  results  of  the  previous  chapter  simplify  the  task  of  constructing  a  conservative 
approximation  between  two  domains  of  agen.  models. 

The  tightest  conservative  approximation  induced  by  h  from  AP^  to  A^ 

has 


'I'.(T)  =  (7,/,(F)) 

I'.ir)  =  ii,h{P)-h{Y-p)), 

where 


y  =  U{A-  C  E^^‘’(A)  :  (7.  A')  €  A  k(X,  C  /.(P)}. 

Recall  that  is  the  set  of  all  trace  structures  over  .  As  an  example  of  applying 

let  T  =  (7,P)  be  the  trace  structure  in  AP^  such  that 

A  =  {a} 

=  (ID, A) 

=  {{(“>0}  e  SP^(A)  :0.5<t  <  2.5}. 


7 

P 
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This  gives 

r  =  [J{-Y  e  : /.(.V)  c  fc(P)} 

=  U{-^'  ?  S|™(.4)  :  h(.X)  C  {{(a,0)},  {(a,l)}.  {(a, 2)}}} 

=  U{-''  e  :  V  C  {{(a,()}  €  S^™(-4)  :  0  <  (  <  3}} 

=  {{(a,l)}€Sj’'‘'(4);0<(<3} 

UT)  =  h,h{P)) 

=  (7,  {(<.,!)},  {(a,2)}}). 

9,{T)  =  (■,,h[P)-h{Y-P)] 

=  €  Bc™(-4)  :  (0  <  1  <  0.5)  V  (2.5  <  l,<  3)})) 

=  (7,'>(^)-{{(a.0)},  {(a,2)}}) 

=  (7,{{(a,l)}}). 

Notice  that  ^'i(r)  C  ^u(T'),  as  expected. 

Let  T  be  the  set  of  all  trace  structures  over  that  have  no  events  before  time  0.5;  that 
is, 

'T  =  {{'f,P)  €  :  VxV6Vt[(x  e  P  A  {b,t)  e  x)  ^  t  >  0.5]}. 

Let  Ac  =  it  can  be  shown  that  Ac  is  a  trace  structure  algebra,  although  we  do 

not  give  the  details  here.  We  can  use  Ac  to  demonstrate  how  the  definition  of  a  conservative 
approximation  induced  by  a  homomorphism  depends  ct  the  set  of  trace  structures  in  the  trace 
structure  algebra  being  approximated.  Let  h  and  T  be  as  defined  above  (clearly  T  G  T).  Let 
be  the  tightest  conservative  approximation  induced  by  h  from  Ac  to  .  Then 

and 

Y  =  \J{XCB^'^^{A):{'^,X)^T  hh{X)Ch[P)] 

=  U{^  ^  B^^^{A)-.XC  2fM):o.5<0  C  {{(a,0)},  {(a,l)},  {(a, 2)}}} 

=  [j{X  C  BS^^iA)  :  X  C  {{{a,t)}  e  BS^^iA)  :  0.5  <  t  <  3}} 

=  {{{ci,t)}  e  BS^^{A)  :0.5  <t  <3} 


^KT)  =  {^,h{P)-h{Y-P)) 
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=  (7,  h{P)  -  e  :2.5<t<  3})) 

=  (7>(P)-{{(a,2)}}) 

=  (7,{{K0)},{(a,l)}}). 

Notice  that  {(a,0)}  is  a  possible  trace  of  but  not  a  possible  trace  of  ^;(T).  Thus,  'PJ 

gives  a  tighter  bound  than  '^i.  This  is  a  direct  result  of  T  being  a  proper  subset  of 
The  remainder  of  this  section  proves  that  h  is  a  homomorphism. 

Lemma  3.9.  The  function  h  from  to  given  by 

/i(®)  =  {(a,  [t\)  :  {a,t)  G  x} 

is  a  homomorphism. 

Proof,  Clearly  h{x)  €  Bq^(A).  AU  that  remains  to  be  shown  is  that 

h(proj(B)(x))  =  proJ(B)(k(x)) 
h(rename(r)(x))  =  rename(r)(h(x)). 

We  consider  proj;  the  rename  case  is  also  straightforward. 

h(proj(B)(x))  =  h({(a,t)  e  X  :  a  iz  £  }■) 

~  {(®  L^J )  '  i)  €  X  A  a  £  B} 

=  prajiB)({(a,ltj):(a,t)6x}) 

=  P^^D(B)(h(x)). 

□ 

3.3.2  False  Positive  Example  Revisited 

In  section  1.2,  we  described  an  example  of  how  modeling  a  circuit  in  synchronous  time  can  lead 
to  a  false  positive  verification  result  relative  to  a  continuous  time  model.  In  section  3.3.1,  we 
showed  that  a  synchronous  time  model  can  be  a  conservative  approximation  of  a  continuous 
time  model.  To  understand  the  relationship  between  these  two  results,  it  is  helpful  to  analyze 
the  false  positive  example  more  thoroughly. 
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The  circuit  behavior  we  used  to  demonstrate  the  false  positive  result  is  represented  in 
by  the  complete  trace 

X  =  {(u;,0),  (x3,1.3),  (x2,1.9),  (2/2,  2.3),  (xl,2.5),  (r,3.3)}. 

Consider  the  exclusive-or  gate  driving  the  signal  yl  (see  fig.  1.1,  p.  14).  Notice  that  A  = 
{x1,x2,2/1}  is  the  alphabet  of  that  gate.  Let 

y  =  proj{A){x) 

=  {(x2. 1.9),  (xl,2.5)}. 

The  complete  trace  y  represents  the  local  behavior  of  the  gate  driving  yl  during  the  global 
behavior  represented  by  the  trace  x.  Thus,  if  T  is  the  trace  structure  over  that  represents 

the  gate,  then  y  £  P.  Notice  that  there  is  no  transition  of  the  signal  yl  in  the  trace  y.  This  is 
because  of  the  continuous  time  inertial  delay  model,  since  the  inputs  xl  and  x2  have  non-equal 
values  only  during  a  period  that  is  shorter  than  the  gate’s  minimum  delay  of  1. 

Let  h  be  the  homomorphism  from  to  described  in  section  3.3.1,  and  let  = 

($/,fu)  be  a  conservative  approximation  induced  by  h  from  trace  structures  over  to 

trace  structures  over  .  If  we  were  to  use  the  synchronous  time  model  to  verify  the  circuit 
relative  to  some  specification,  then  we  would  construct  the  trace  structure  T  =  ^u{T),  which 
is  a  conservative,  synchronous  time  model  of  the  gate  driving  yl.  By  the  definition  of  'fu, 
we  know  h( P)  C  where  h  is  naturally  extended  to  sets  of  traces  (if  'P  is  the  tightest 
conservative  approximation  induced  by  h,  then  h{P)  =  P').  Since  y  £  P,  -we  have  that 
y'  £  P',  where 

y'  =  h{y) 

=  {(x2,l),  (xl,2)}. 

However,  in  the  synchronous  time  model  that  we  informally  used  in  section  1.2,  the  only 
behavior  of  the  gate  that  could  result  from  that  sequence  of  inputs  xl  and  x2  is 

2/"  =  {(x2,l),  (2/1,2),  (xl,2),  (2/1,3)}. 

A  conservative,  synchronous  time  model  of  the  gate  driving  yl  must  contain  both  of  the  traces 
y'  and  y"-.  The  fact  that  the  informal  model  used  in  section  1.2  did  not  contain  the  trace  y'  is 
the  reason  for  the  false  positive  verification  result  described  there. 

Notice  that  the  trace  y"  allows  continuous  time  behaviors  where  the  first  three  transitions 
(in  order)  are  x2,  xl  and  yl.  This  is  more  conservative  than  necessary;  such  behaviors  are  not 
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possible  in  the  continuous  time  model  of  the  gate.  A  tighter  approximation  can  be  obtained  by 
using  quantized  time  instead  of  synchronous  time,  since  quantized  time  preserves  information 
about  the  order  of  events. 


3.4  Modeling  Quantized  Time  with  Simultaneity 

In  this  section,  we  define  a  trace  algebra  for  quantized  time  with  simultaneity.  A  homo¬ 
morphism  from  continuous  time  traces  to  is  used  to  construct  a  corresponding  conser¬ 

vative  approximation. 

A  trace  in  with  alphabet  A  consists  of  two  (possibly  infinite)  sequences  of  the  same 

length.  The  first  is  a  sequence  over  2"^  —  {0}  representing  a  sequence  of  sets  of  simultaneous 
events.  The  second  sequence  provides  an  integer-valued  time  stamp  for  each  set  of  events;  it 
is  a  non-strictly  increasing  sequence. 

Defining  the  homomorphism  from  continuous  time  traces  to involves  defining  a  second 
trace  algebra,  for  continuous  time  traces.  A  trace  in  is  similar  to  a  trace  in 

except  that  the  sequence  of  time  stamps  is  a  strictly  increasing  sequence  of  real  numbers. 
There  is  a  homomorphism  from  to  it  simply  truncates  the  values  of  the  time 

stamps  in  each  trace.  This  implies  that  there  is  a  homomorphism  from  to  ,  since 

is  isomorphic  to  . 

The  remainder  of  this  section  formalizes  the  definition  of  and  proves  that  it  is  a  trace 
algebra. 

Definition  3.10.  We  define  the  trace  algebra  as  follows.  For  all  alphabets  .4,  a  trace 

X  =  (u,r)  in  Bc(A)  is  such  that 

•  u  is  a  (possibly  infinite)  sequence  over  2^  —  {0}, 

•  r  is  a  (possibly  infinite)  sequence  over  A'”^, 

•  u  and  T  are  the  same  length, 

•  no  <  Til  implies  r(no)  <  t(71j)  (increasing),  and 

•  if  r  has  infinite  length,  then  it  is  unbounded: 

Let  X  —  (u,t)  be  a  trace  over  some  alphabet  A. 
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•  —  {}^  •’^0’  "’here  u'  is  the  sequence  formed  from  u  by  removing  every 
symbol  a  not  in  B.  and  r'  is  formed  from  r  by  removing  the  corresponding  time 
stamps.  More  formally.  len{u')  and  ien(r')  are  both  equal  to 

{j  G  A  :  0  <  j  <  len{u)  A  u{j)  U  B  ^  0}|. 

.41so, 

u'{k)  =  u(n)  n  B 

T’{k)  =  T{n). 

where  n  is  the  unique  integer  such  that  u{n)  '"5^0  and 
A:  =  { j  G  A  :  0  <  j  <  n  A  u{j)  "5  =  0}. 

•  rename(r)(x)  =  (An  G  A'’'ir(u(n));,  r). 

Lemma  3.11.  is  a  trace  algebra. 

Proof.  To  show  that  is  a  trace  algebra,  we  must  show  that  it  satisfies  Tl  through  T8. 
Me  only  consider  T4;  the  proofs  for  the  remaining  axioms  are  straightforward. 

Lemma  3.12.  satisfies  T4. 

Proof.  Let  X  —  (u.r)  and  x  =  be  traces  in  5c(-4)  and  Bc{A').  respectively. 

.4ssume 

proj{A  ^  .4')(x)  =  proj{A  ^  .4')(x'), 

and  let  A"  be  such  that  .4  .  -i'  C  A”.  We  must  show  that  there  exists  x"  6  5c(A") 
such  that  x  =  proj{A){x")  and  x'  =  proj{A’)ix"). 

Me  defined  Cq  so  that  traces  are  a  pair  of  sequences.  However,  in  this  case  it 
is  useful  to  also  think  of  a  trace  as  a  sequence  of  pairs;  the  isomorphism  is  obvious. 
Thus,  we  write  x{n)  to  denote  the  pair  {n(n),r(n)). 

We  must  show  how  x  and  x  can  be  combined  to  form  an  appropriate  x”.  Our 
strategy  is  to  first  split  the  sequence  x  into  in  infinite  number  of  subsequences  ?/„ 
such  that  the  time  stamp  of  all  of  the  pairs  in  is  n.  M^e  also  form  y!^  from  x'  in 
analogous  fashion.  Me  show  how  to  combine  each  ?/„  and  y'^  into  ?/"  such  that 
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has  the  desired  property. 

For  every  non-negative  integer  n,  let  yn  be  the  sequence  over  (2"^  —  {0})  x  {n} 
such  that 

len{yn)  =  |{i  :  r{j)  =  n}| 

and 

VnU)  =  x{k^j), 

where  k  is  the  smallest  integer  such  that  T(k)  =  n.  Since  r  is  unbounded  when  it  is 
of  infinite  length,  each  y^  is  of  finite  length.  Thus,  y^  E  ((2^  —  {0})  x  {n})*.  Notice 
that 

a:  =  2/0  2/1  ?/2  •  • '  • 

We  define  y'^  analogously  to  !/„. 

Each  sequence  j/n  is  of  the  form 

2/n  =  Vo  (ao,7i)  •••  u_,_i  (aj_i,n)  Uj, 

where  each  Vi  e  - {0})  x  {n})*  and  each  €  2'‘-{0}  such  that  c.n.d'  #  0, 

Similarly,  each  y'n  is  of  the  form 

y'n  =  K  (tto,rr)  •••  v'-_i  (a'--_i,n)  vji, 

where  each  v[  ^  ((2^^'“^^  -  {0})  x  {n})*  and  each  a[  6  2^'-{0}  such  that  a'n.4  0. 

The  assumption  proj{A  H  -4')(x)  =  pToj{A  r  A'){x')  implies  that  j  =  j'  and 

tti  n  (.4  n  .4')  =  a'  n{A^  A') 

for  all  i  <  j.  Since  a,  G  2^  -  {0}  and  a'  €  2^'  -  {0},  this  implies 
ai  n  A''=  a[  n  A. 

Let 

y'n  =  Vo  Vg  (do  J  tto,  7i)  •  •  •  Vj^i  u'_i  (oj-i  U  a'_i,  n)  vj  v'. 

Notice  that 

proj(A)(y^) 

=  proj(A)(vo  v'o  (do  U  a',  n)  •  •  •  Uj.i  u'_i  (aj_i  U  a'_i,  n)  vj  u') 
since  G  --  {0V)  x  {n})‘ 
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=  proj{A){vo  (fflo  U  tto,  n)  •  •  •  (a^-i  U  a'_i,  n)  Vj) 

since  a'-  C)  A  C  ai 

=  proj{A){vo  {ao,n)  ■■■  n,_i  {aj.i,n)vj) 
since  n,-  €  -  {0})  x  {n})*  and  ai  6  2^  -  {0} 

=  V-)  (ao,n)  •••  Vj.i  (aj_i,n)nj 

=  Vn- 

Similarly,  proj{A'){y”)  =  y'^. 


Then, 

proj{A){x")  =  pToj{A){yoy'^y'^  ■■■) 

=-.  proj{A){yo)  proj{A){y'l)  proj{A){y2)  ■  ■  ■ 

=  2/0  2/1 2/2  •  •  • 

=  X. 

Similarly,  x'  =  proj{A')(  ").  Therefore,  x"  satisfies  T4. 


□ 

Definition  3.13.  We  define  to  be  the  ordered  pair  where  is  the 

set  of  all  trace  structures  over  ■  By  theorem  2.27,  is  a  trace  structure  algebra. 

3.4.1  Approximating  Continuous  Time 

in  this  section  we  describe  our  next  conservative  approximation  from  continuous  to  discrete 
time.  The  first  step  is  define  another  trace  algebra,  ,  for  representing  continuous  time, 
and  show  that  it  is  isomorphic  to  A  trace  x  in  is  an  ordered  pair  (u,r)  like 

Cc  except  r  is  a  strictly  increasing  sequence  of  real  numbers  rather  than  a  sequence  of 
Integers.  We  define  a  homomorphism  h  from  to  such  that  if  x  =  (u,r)  is  a 

trace  in  ,  then  h(^x)  =  where  =  [7'(n)J.  By  lemma  2.42,  h  induces  a 

conservative  approximation  from  trace  structures  over  to  trace  structures  over  . 
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This  conservative  approximation  is  analogous  to  one  described  in  section  3.3.1,  which  was 
induced  by  a  homomorphism  from  to  Cq^ . 

The  remainder  of  this  section  proves  these  claims.  We  begin  by  formally  defining 
and  showing  that  it  is  a  trace  algebra  and  is  isomorphic  to  . 

Definition  3.14.  We  define  the  trace  algebra  as  follows.  For  all  alphabets  .4,  a  trace 

X  =  {u,t)  in  Bc{A)  is  such  that 

•  u  is  a  (possibly  infinite)  sequence  over  2^  —  {0}, 

•  r  is  a  (possibly  infinite)  sequence  over 

•  u  and  T  are  the  same  length, 

•  no  <  Til  imphes  r(no)  <  T(ni)  (strictly  increasing),  and 

•  if  r  has  infinite  length,  then  it  is  unbounded: 

Let  X  =  (u,r)  be  a  trace  over  some  alphabet  .4.  The  definitions  of  proj  and  rename  are 
identical  to  those  for  -. 

•  P^^j{B){x)  =  where  u'  is  the  sequence  formed  from  u  by  removing  every 

symbol  a  not  in  B,  and  r'  is  formed  from  r  by  removing  the  corresponding  time 
stamps.  More  formally,  len{u')  and  ien(r')  are  both  equal  to 

\{j  ^  Af  :  0  <  j  <  len(u)  A  u(j)  P.  B  7^  0}|. 

Also, 

u'(k)  =  u(n)  n  B 
r'(fc)  =  r(n), 

where  n  is  the  unique  integer  such  that  u{n)  ^  B  ^  %  and 
k  =  |{i  G  A/”  :  0_<  j  <  n  A  u{j)  P  15  7^  0}|. 

•  rename{r){x)  =  (An  G  A/’’^[r(u(n))],  r). 

To  show  that  is  a  trace  algebra,  it  is  sufficient  to  show  that  there  is  a  isomorphism 

h  from  Cq'^^  to  .  Since  is  a  trace  algebra,  this  demonstrates  that  is  a  trace 

algebra,  as  well  as  showing  that  it  is  isomorphic  to 
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Lemma  3.15.  is  a  trace  algebra  and  is  isomorphic  to  . 

Proof.  Let  x  =  {u,t)  be  a  trace  in  Bc^^iA).  We  define  h  such  that 

h{x)  =  {(c  .f)  ;  5n  <  len{u)[a  €  u{n)  At  =  r(n)]}. 

It  can  be  shown  that  h  is  a  surjection,  since  traces  in  have  only  a  finite  number  of 

actions  during  any  finite  period  of  time. 

.A.lso,  it  straightforward  to  show  that  h  is  an  injection  and  for  all  x'  e  Bc'^^^{A). 
h~^(x')  =  (u.t). 

where  u  and  r  are  uniquely  determined  by  the  following  constraints.  First,  the  length  of 
u  and  T  is 

\{t'  :  3a  €  >l[(a. t')  €  x|}L 

Second,  if  n  <  len{u)  then  r(n)  is  the  unique  real  number  such  that  3a[(o,r(n))  € 
and 


n  =  '{t'  <  r(n)  :  3a  €  .4[(a,t')  G  a;]}}. 

Third,  if  n  <  len{u)  then 

u{n)  =  {a  :  (a,r(n))  G  a:}. 

It  is  also  straightforward  of  show  that  /i  is  a  homomorphism.  For  e.xample.  the  reader 
can  easily  verify  that  if  a:  =  (u,r)  is  a  trace  in  then  both  proj{B){h{x))  and 

h{pToj{B){x))  are  equal  to 

{(a,t)  :  3n  <  len{u)[a  €  {u{n)  C]  B)  A  t  =  r(7i)]}. 


□ 
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Lemma  3.16.  Let  h  be  the  function  from  to  such  that  if  x 
of  BS^°{A),  then 

h{x)  =  {u,t'), 

where 

r'(n)  =  ir(n)j. 

Then  /i  is  a  homomorphism. 

Proof.  Clearly  h[x)  €  B§^^(A).  All  that  remains  to  be  shown  is  that 

h{proj(B){x))  =  proj{B){h{x)) 
h{rename{r){x))  =  rena.ine{r)(^h{x)). 

The  reader  can  verify  that  both  h{proj{B){x))  and  proj{B){h{x))  are  equal  to  (u",r"), 
where  len{u")  and  ien(r")  are  both  equal  to 

|{i  €  A/”  :  0  <  j  <  len(u)  A  u(j)  ft  5  7^  0}[ 

and 

u"(k)  =  u(n)  n  B 
r'\k)  =  [r(n)J, 

and  n  is  the  unique  integer  such  that  u{n)  T  B  ^  %  and 
A;  =  !{j  G  A" :  0  <  j  <  n  A  u{j)  H  B  ^  0}i. 

Also, 

h{rena.me{r){x))  =  h{{Xn  £  [r{u{n))],  t)) 

=  (An  G  A/'’^[r(u(7i))],  An  G  A/'’'[[r(n)J]) 

=  renarae(T’)((u,  An  G  A'^[[r(n)J])) 

=  rename(r)(fe(x)). 

□ 
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3.4.2  False  Positive  Example  Revisited 

In  section  3.3.2  we  analyzed  the  false  positive  example  of  section  1.2  with  a  conservative, 
synchronous  time  model.  In  this  section,  we  do  a  similar  analysis  with  a  quantized  time 
model. 

Recall  that  the  continuous  time  trace 
y  =  {(x2,1.9),  (xl,2.5)} 

represents  the  local  behavior  of  the  gate  driving  yl  in  the  fal.se  positive  example.  Let  z'  be 
the  result  of  applying  our  homomorphism  h  from  to  : 

z'  =  h{y) 

=  (({x2},l),  ({xl},2)). 

A  trace  structure  over  representing  the  gate  should  also  contain  the  trace 

z"=(({x2},l),  ({yl},2),  ({xl},2),  ({yl},3);. 

representing  a  behavior  in  which  the  time  between  the  x2  and  xl  events  is  greater  than  or 
equal  to  1,  such  as 

{(x2,1.9),  (yl,2.9),  (xl,2.95),  (yl,3.95)}. 

Recall  that  the  synchronous  time  model  of  the  gate  needed  to  include  the  traces 

y'  =  {(x2,l),  (xl,2)} 

y"  =  {(x2,l),  (yl,2),  (xl,2),  (yl,3)}. 

As  stated  earher,  the  trace  y"  allows  continuous  time  behaviors  where  the  first  three  transitions 
(in  order)  are  x2,  xl  and  yl.  This  is  more  conservative  than  necessary  because  such  behaviors 
are  not  possible  in  the  continuous  time  model  of  the  gate.  Since  the  trace  z"  does  not  allow 
such  continuous  time  behaviors,  it  is  a  tighter  approximation  than  y"  is. 

3.5  Application  to  Automatic  Verification 

Let  us  consider  how  conservative  approximrtions  from  continuous  time  trace  structures  to 
discrete  time  trace  structures  can  be  applied  in  automatic  verification.  One  method  for  me¬ 
chanically  verifying  that  a  implementation  satisfies  a  continuous  time  specification  is  as  follows. 
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First,  construct  data  structures  for  each  of  the  continuous  time  trace  structures  representing 
the  specification  and  the  components  of  the  implementation.  Then,  algorithmically  convert 
each  of  the  continuous  time  trace  structures  to  discrete  time,  and  then  decide  the  verification 
problem  in  discrete  time. 

We  do  not  use  this  method,  however,  because  we  want  to  avoid  having  to  construct  a 
machine  readable  representation  for  any  continuous  time  trace  structures.  Instead,  we  rec¬ 
ommend  a  method  involving  a  specification  language  with  both  continuous  and  discrete  time 
semantics.  The  discrete  time  semantics  must  be  shown  to  be  a  conservative  approximation  of 
the  continuous  time  semantics,  for  any  specification  written  in  that  language.  The  user  writes 
descriptions  of  the  specification  and  the  components  in  this  specification  language,  keeping  the 
continuous  time  semantics  in  mind.  The  descriptions  are  translated  into  discrete  time  trace 
structures  that  are  used  to  decide  the  verification  problem.  The  result  is  a  conservative  ap¬ 
proximation  of  the  continuous  time  verification  problem  the  user  had  in  mind,  but  continuous 
time  trace  structures  are  never  constructed.  Implementing  a  specification  language  that  can 
be  used  in  this  way  is  an  area  for  future  research. 

Our  results  so  far  describe  a  conservative  approximation  from  continuous  time  to  quantized 
time  with  simultaneity.  Using  trace  structure  algebra  techniques  described  in  the  next  chapter 
{conservative  approximations  induced  by  power  set  algebras),  we  can  extend  this  conservative 
approximation  to  quantized  time  with  interleaving.  The  verification  method  described  above 
can  be  used  for  the  extended  conservative  approximation,  as  well. 
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Chapter  4 

Trace  Algebra,  Part  II 


This  chapter  describes  more  advanced  features  of  trace  algebra  such  as  partial  traces  and 
conservative  approximations  induced  by  powerset  algebras  over  trace  algebras.  We  use  these 
features  to  extend  the  conservative  approximations  described  in  the  previous  chapter. 


4.1  Power  Set  Algebras  over  Trace  Algebras 

We  begin  with  an  example  to  motivate  power  set  algebras  over  trace  algebras.  Let  Cq  be  the 
trace  algebra  given  by: 

.  5^(.4)  =  (2^-{0})-. 

•  P^oj^{B){x)  =  x',  where  x'  is  the  sequence  formed  by  intersecting  B  with  each  element 
of  the  sequence  x  and  then  removing  any  instances  of  the  empty  set  that  result.  More 
formally,  len(x')  is  equal  to 

l{j  6  Af  :  0  <  j  <  len(x)  A  x(j)  H  B  ^  0}1, 


and 


x'(k)  =  x(n)  n  B, 

where  n  is  the  unique  integer  such  that  x(n)  D  B  ^  ill  and 
k  =  j{j  €  Af  :  0  <  j  <  n  A  x(j)  H  B  ^  '0}1. 
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•  rename^ (r)(x)  =  An  G  A'’^[r(s(7i))j. 

This  trace  algebra  was  also  described  in  section  2.2.1;  it  is  an  untimed  behavior  model  with 
explicit  simultaneity.  The  proof  that  Cq  is  a  trace  algebra  is  left  as  an  exercise  to  the  reader. 

It  is  well  known  that  a  trace  with  explicit  simultaneity  can  be  represented  by  its  set  of 
interleavings.  We  use  this  fact  to  construct  a  trace  algebra  that  is  isomorphic  to  and 
that  is  a  power  set  algebra  over  Cq.  Each  trace  in  is  a  set  of  traces  from  this  set  of 
traces  is  the  set  of  interleavings  of  some  trace  in  C^.  The  operations  of  Cq^  are  the  same  as 
those  in  Cq  except  that  they  are  naturally  extended  to  sets.  The  main  result  of  this  section 
is  the  description  of  how  to  use  power  set  algebras  to  construct  conservative  approximations 
from  (for  example)  trace  structures  over  Cq  to  trace  structures  over  Cq.  The  approximations 
are  independent  of  the  details  of  the  trace  algebras;  they  depend  only  on  the  fact  that  is 
isomorphic  to  and  is  a  power  set  algebra  over  Cj^. 

The  construction  of  Cq  involves  the  function  interleave  from  traces  in  Cq  to  sets  of  traces 
in  Cq.  Let  X  be  a  trace  in  For  all  n  G  such  that  n  <  Jen(x),  let 

w = i:  Hk)\. 

k=0 

We  define  interieave(x)  to  be  the  set  of  traces  x'  G  B^  such  that  for  all,  n, 
x(n)  =  {x\k)  :  /„(x)  <k< 

Intuitively,  this  is  the  set  of  traces  that  can  be  formed  from  x  by  constructing  a  permutation 
of  each  of  the  sets  x{n)  and  then  concatenating  the  permutations  together.  Notice  that  for  all 
alphabets  A,  if  x  G  H^(.4),  then  interieave(x)  C  bUa). 

The  function  interleave  is  an  injection.  To  see  this,  let  Xo  and  Xj  be  distinct  traces  in  B^. 
Since  Xo  and  Xj  are  distinct,  there  exists  a  smallest  n  such  that  Xo(n)  ^  Xi(n).  .A.lso,  there 
exists  a  b  such  that  either 

b  G  Xo(ti)  - 


or 


b  G  a:i(n)  -  Xo(7i). 

Consider  the  first  case;  the  second  case,  is  analogous.  Since  b  G  a:o(Ti),  there  exists  a  trace 
x'  G  inferieave(xo)  such  that  x'(/n(xo))  =  b.  Since  b  ^  there  does  not  exist  a  trace 
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x'  S  interJeave(xi)  such  that  x'(ln(xi))  —  b.  Since  n  is  the  index  of  the  first  element  on  which 
Xo  and  Xi  differ,  ln{xQ)  =  /n(2:i).  Thus, 

interJeave(xo)  ^  interJeave(xi). 


Therefore,  interleave  is  an  injection. 

Since  interleave  is  an  injection,  we  can  use  it  to  construct  a  trace  algebra  Cq^  that  is 
isomorphic  to  Cq  and  such  that  each  trace  is  a  set  of  traces  from  Cq: 

Bq\A)  =  {y  Q  Bq(A)  :  £  Bq{A)  [y  =  interieave(a:)]} 

proj^\B){y)  =  interleave(proj^(B)(interleave~^(y))) 
renarne^^(r)(y)  =  interleave(renanie^(r)(interleave~^(y))). 

The  reader  can  verify  the  following  identities,  which  relate  the  operations  of  Cq  to  those 
of  C^c- 

interleave{proj^ {B)(x))  =  {proj^ {B){x')  :  x' E  interleave{x)} 
interleave{rename^{r){x))  =  {rename^(r)(x')  :  x'  €.  interleave{x)} . 

These  are  used  to  show  that  the  operations  of  are  just  the  natural  extension  to  sets  of  the 
corresponding  operations  of  C^: 

proj^^  {B){y)  —  interleave(proJ‘‘^(B)(interleave~^(y))) 

=  {pro/(^)(x')  :  x'  E  interleave(interleave  ^(y))} 

=  {proj^(B)(x')  :  x' Ey}; 

similarly, 

rename^^ {r){y)  =  {rename\r){x')  :  x  E  y}. 

These  properties  of  make  it  a  power  set  algebra  over  Cq,  as  defined  below. 


Definition  4.1.  Let  Cc  =  {Be,  proj,  rename)  and  C  =  (B'^;,,  prof,  rename')  be  trace  algebras. 
We  say  Cc  is  a  power  set  algebra  over  Cq  iff 

•  X  E  Bc(A)  imphes  x  C  B'q(A), 

•  proj(B)(x)  =  {prof(B)(x')  :  x'  E  x}, 

•  rename(r)(x)  —  {rename'(r)(x')  :  x'  E  x}. 
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We  want  to  construct  a  conservative  approximation  from  trace  structures  over  to  trace 
structures  over  Cq  (which,  because  of  the  isomorphism  between  Cq  and  ,  allows  us  to 
construct  a  conservative  approximation  from  trace  structures  over  Cq  to  trace  structures  over 
C^).  To  do  this,  we  need  to  find  a  way  that  a  set  of  traces  in  can  be  interpreted  as 
representing  or  approximating  a  set  of  traces  in  Cq. 

Let  A  be  a  subset  of  ^^-^(.4)  for  some  alphabet  A.  Since  each  trace  x  in  Cq^  is  a  set  of 
traces  in  Cq,  the  set  P'  =  is  well-defined  ajid  is  a  subset  of  Bq{A).  The  set  P'  can  be 
thought  of  as  representing  the  largest  set  P  of  traces  in  C^^  such  that  P’  =  JP.  This  is  a 
standard  way  of  using  a  set  of  interleaved  traces  to  (approximately)  represent  a  set  of  traces 
with  explicit  simultaneity  or  partial  order  semantics.  Notice  that  P  is  the  largest  set  of  traces 
in  Cq^  such  that  P'  —  'JP  if  and  only  if 

X  6  Hq(A)  Ax  C  P'  <=>  X  e  P. 

So  the  above  logical  equivalence  specifies  when  P'  represents  P  exactly.  For  a  conservative 
approximation,  we  do  not  need  to  represent  P  exactly,  but  we  do  need  to  construct  P^  and  P/ 
(subsets  of  Bq(A))  that  represent  upper  and  lower  bounds  on  P.  The  above  requirement  for 
exactness  can  be  split  into  two  parts  to  form  requirements  for  such  upper  and  lower  bounds: 

a:  6  B^q\A)  Ax  CPI  ^  xeP 
X  €  B^\A)  Ax  CPI  =>  xe  P 

The  requirement  that  x  $  Bq{A)  is  redundant  in  the  reverse  implication  since  P  C  Bq^{A). 
ims  leads  to  the  foLlo\’iug  definition  of  a  class  of  conservative  approximations  from  (for  ex¬ 
ample)  trace  structures  over  Cq^  to  trace  structures  over  Cq. 

Definition  4.2.  Let  Cq  be  a  trace  algebra  and  let  Cc  be  a  power  set  algebra  over  Cq.  Let 
•^c  =  (Cc,T)  and  A!q  =  {Cq,T')  be  trace  structure  algebras.  Let  and  be  functions 
from  T  to  T  such  that  if  T^  %{T)  and  T/  =  «-,(p),  then 

7^  =  7 

7;  =  7 

XCPI  ^  xeP,  (4.1) 

X  £  Bc{A)  A  X  C  Pi  =;>  X  £  P.  (4  2) 

By  lemma  4.3  (below),  =  (?';,^'u)  is  a  conservative  approximation  from  Ac  to  A'q. 
We  call  ^  a  conservative  approximation  from  Ac  to  A!q  induced  by  the  power  set  algebra 
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C.  If 

PL  =  OP, 

P;  =  UP-  U{a;  €  Bc{A)  -P  -.xCUP} 

then  the  above  constraints  on  P^  and  P/  are  clearly  satisfied.  In  this  case,  we  call  $  the 
standard  conservative  approximation  from  Ac  to  A'q  induced  by  C. 

In  chapter  2,  we  were  able  to  characterize  the  tightest  conservative  approximation  induced 
by  a  homomorphism.  An  obvious  question  is  whether  there  always  exists  a  tightest  conservative 
approximation  induced  by  a  given  power  set  algebra.  The  smallest  (by  inclusion  ordering)  P^ 
that  satisfies  formula  (4.1)  is  clearly  P^  =  UP.  However,  in  general,  there  is  no  largest  P/ 

that  satisfies  formula  (4.2),  so  there  is  no  tightest  conservative  approximation.  Our  definition 

of  the  standard  conservative  approximation  induced  by  a  power  set  algebra  is  a  compromise 
that  works  well  in  many  cases. 

The  remainder  of  this  section  proves  that  a  conservative  approximation  induced  by  a  con¬ 
servative  approximation  is  in  fact  a  conservative  approximation. 

Lemma  4.3.  A  conservative  approximation  induced  by  a  power  set  algebra  is  a  conservative 
approximation. 

Proof.  Adopt  the  notation  used  in  definition  4.2.  By  theorem  2.36  (which  states  that  a 
conservative  approximation  remains  conservative  when  “loosened”),  the  current  lemma 
is  satisfied  if  is  a  conservative  approximation  when  P^  is  the  smallest  set  satisfying 
formula  (4.1).  Thus,  we  may  assume  that 

S'„(r)  =  (7,uP). 

We  use  theorem  2.35  to  show  that  is  a  conservative  approximation  by  showing  that  $ 
satisfies  A1  through  A4. 

Lemma  4.4.  $  satisfies  Al. 


Proof.  Let  T  =  Tj  |j  T^',  then 

P  =  €  Bc{A)  :  proj{Ai){x)  G  Pi  A  proj{A2){x)  €  Pj}. 
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Also,  let  Tj'  =  ^u(Ti),  Tj  =  and  T'  =  T[  ||  Tj.  We  must  show  that  UP  C  P' . 

x'eUP  <;=>  e  Bc{A)[x' e  X  A  proj{Ai){x)  e  Pi  A  proj{A2){x)  e  P2] 

by  the  definition  of 

^  3x  e  Bc{A)[x'  ex  A  proj{Ai){x)  C  P[  A  proj{A2){x)  C  P'l 
by  the  definition  of  proj  on  traces  in  Cc 
=>  proj{Ai){x')  e  PI  A  proj{A2){x')  e  P^] 

^  x'  e  P'. 


□ 

Lemma  4.5.  ^  satisfies  A2. 

Proof. 

Uproj(P)(P)  =  {x' :  3x  €  pToj{B){P)[x'  e  x]} 

by  the  definition  of  proj{B)  on  sets  of  traces  in  Cc 
=  {a;'  :  By  6  P[x'  €  proj{B){y)]} 
since  Vx'5j/';x'  =  proj{B){y')],  by  T4 
=  {proj{B){y')  :  3y  £  P[proj{B){y')  £  proj{B){y)]} 
by  the  definition  of  proj{B)  on  traces  in  Cc 
=  {proj{B){y')  :  3y  £  P\y'  e  yj} 
by  the  definition  of  proj(P)  on  sets  of  traces  in  Q 
=  P^oj{B){{y'  :  3y  £  P[y  £  i/]}) 

=  proj(P)(UP). 

□ 

Lemma  4.6.  ^  satisfies  A3. 

Proof. 


Urenaine(r)(P) 

=  {x'  :  3x  £  rename{r){P)[x'  £  x  } 
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by  the  definition  of  renaine(r)  on  sets  of  traces  in  Cc 
=  {x  :  3y  G  P[x  G  rename(r)(7/)]} 
since  rename{r)  is  a  bijection  in  any  trace  algebra 
=  {Tenaine{r){y')  :  3y  G  P[rename(r){y')  G  rename(7')(7/)|} 
by  the  definition  of  rename{r)  on  traces  in  Cc 
=  {renaine{r){y')  :  3y  G  P[y'  G  y]} 
by  the  definition  of  rename(r)  on  sets  of  traces  in 
=  rename(r)({y'  :  3y  G  Piy'  G  y]}) 

=  rename(r)(UP). 

□ 

Lemma  4.7.  5'  satisfies  A4. 

Proof.  Assume  C  ^'/(Ts).  Then  Aj  =  A2;  let  .4  =  .4i.  Also,  let  T{  =  %(Ti) 

and  T2  =  '$i(T2).  We  must  show  that  Pi  C  P2. 

X  e  Pi 

by  the  definition  of 
=>  X  C  P' 
since  Pj  C  P^ 

=>  XCP2' 

by  the  definition  of 
=?■  X  G  ^2- 

□ 

□ 

4.2  Quantized  Time  with  Interleaving  Semantics 

In  this  section,  we  describe  two  different,  but  isomorphic,  trace  algebras  for  quantized  time 

with  interleaving.  The  first,  ,  is  quite  similar  to  except  that  for  a  trace  x  =  (u,  r)  the 
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sequence  u  is  over  A  rather  than  2^  ~{0}-  It  is  used  to  construct  a  conservative  approximation 
from  quantized  time  with  simultaneity  to  quantized  time  with  interleaving,  which  extends  the 
conservative  approximation  from  continuous  time.  The  second,  ,  has  traces  that  are 

sequences  over  A  U  where  y;  is  a  special  symbol  that  indicates  the  passage  of  a  unit  of 
time  [16,  17,  18].  For  example,  the  trace  ipipbip  represents  a  behavior  in  which  a  b  event  has  a 
time  stamp  oi  2. 

The  remainder  of  this  section  formalizes  these  ideas. 

Definition  4.8.  We  define  the  trace  algebra  as  follows.  For  ah  alphabets  .4.  a  trace 

X  =  {u,t)  in  Br{A)  is  such  that 

•  u  is  a  (possibly  infinite)  sequence  over  .4, 

•  r  is  a  (possibly  infinite)  sequence  over 

•  u  and  r  are  the  same  length, 

•  no  <  TXi  implies  r(no)  <  t(tii)  (increasing),  and 

•  if  T  has  infinite  length,  then  it  is  unbounded, 

yt€M'^[3neAf^[t  <  r(n)]]. 

Let  X  ~  {u,t)  be  a  trace  over  some  alphabet  A. 

•  P^^j{B){x)  =  where  u'  is  the  sequence  formed  from  u  by  removing  every 

symbol  a  not  in  B,  and  t'  is  formed  from  t  by  removing  the  corresponding  time 
stamps.  More  formally,  ien(u')  and  kn{T')  are  both  equal  to 

|{y  G  :  0  <  y  <  len[u)  A  u{j)  G  5}.. 

Also, 

u'[k)  =  11(71) 
r'(fc)  =  r(7i), 

and  n  is  the  unique  integer  such  that  11(71)  e  B  and 
k  =  \{j  e  :  0  <'j  <  n  A  u{j)  €  B}\ 

•  rename(r)(x)  =  (An  G  A7^[r(ii(n))],  r). 


Lemma  4.9.  is  a  trace  algebra. 
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Proof.  The  proof  is  analogous  to  lemma  3.11,  which  show  that  is  a  trace  algebra. 

□ 

Definition  4.10.  We  define  the  trace  algebra  as  follows: 

•  The  set  Bc{A)  of  traces  over  an  alphabet  A  is  the  set  of  s  G  (A  U  {v^})“  such  that 
ip  appears  infinitely  often  in  x  (we  assume  p  ^  W,  see  note  3.1,  p.  59). 

•  If  I  G  Bc{A)  and  B  C  A,  then  proj{B){x)  is  the  sequence  formed  from  x  by 
removing  every  symbol  a  not  in  5  U  {p}.  More  formally, 

proj^^^‘^(5)(s)  =  prof{B  J  {95})(a:). 

•  If  s  G  Bc{A)  and  r  is  a  renaming  function  with  domain  A,  then  renawe(r)(x)  is 
the  sequence  formed  from  x  by  replacing  every  a  G  A  with  r(a). 

Lemma  4.11.  is  a  trace  algebra. 

Proof.  The  proof  is  a  slight  modification  of  the  proof  that  is  a  trace  algebra  (lemma  4.33), 
and  is  left  as  an  exercise  for  the  reader. 

□ 

Definition  4.12.  We  define  to  be  the  ordered  pair  T‘^^^),  where  is  the  set 

of  all  trace  structures  over  .  By  theorem  2.27,  is  a  trace  structure  algebra, 

is  similarly  defined. 

Lemma  4.13.  is  isomorphic  to  . 

Proof.  It  is  sufficient  to  show  that  there  is  a  bijection  h  from  to  that  satisfies 

the  requirements  of  a  homomorphism. 

Let  s  be  a  trace  in  B^^^‘^(A).  We  define  h  such  that  h{x)  =  (u,r),  where 
u{k)  —  x(n) 
r(k)  =  n  —  k, 

and  n  is  the  unique  integer  such  that  x(7i)  /  p  and 
k  =  \{j  e  Af  :  0  <  j  <  n  A  x{j)  p}\. 

It  is  straightforward,  but  tedious,  to  show  that  h  is  an  bijection  and  that  it  satisfies  the 
requirements  for  being  a  homomorphism.  The  proof  is  left  as  an  exercise  for  the  reader. 
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□ 

Corollary  4.14.  is  isomorphic  to 

4.2.1  Approximating  Continuous  Time 

In  this  section  we  complete  the  conservative  approximation  from  Aq'^^  to  Ac^\  Since  we  have 
already  constructed  a  conservative  approximation  from  A^'^^  to  it  is  only  necessary  to 

go  from  Ac^^  to  A^^^ .  There  exists  a  trace  algebra  that  is  a  power  set  algebra  over 

Cc  and  is  isomorphic  to  A^^^ .  This  allows  us  to  construct  a  conservative  approximation 
from  Aq^^  to  A^^\  We  define  the  set  of  interleavings  of  a  trace  in  to  be  a  set  of  traces 

in  .  Each  trace  in  is  the  set  of  interleavings  of  a  trace  in  . 

The  remainder  of  this  section  proves  these  claims. 

Definition  4.15.  Let  x  =  (u,r)  be  a  trace  in  For  all  n  6  A”’"  such  that  n  <  Jen(x), 

In  =  J:  Iu(/c)|. 

k=Q 

We  define  interJeave(x)  C  B^'^\A)  to  be  the  set  of  traces  x'  =  (u',r')  such  that  for  all 
n, 

u{n)  =  {u'{k)  :ln<k< 


and 


<  k  <  =>  r(n)  --  r'(A:)]. 

Definition  4.16.  We  define  the  trace  algebra  as  follows.  For  all  alphabets  .4, 

=  {interieave(x)  :  x  €  Bc^^{A)}. 

The  operations  on  traces  of  are  the  natural  extension  of  the  operations  of  to 

the  sets  of  traces  in  Bq^^^ 

Corollary  4.17.  is  a  power  set  algebra  over  . 

Lemma  4.18.  is  a  trace  algebra  and  it  is  isomorphic  to  . 
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Proof.  Since  is  a  trace  algebra,  it  is  sufficient  to  show  that  there  is  a  bijection  h  from 

Q  TS  (D  7  S I 

Cq  to  Cq  that  satisfies  the  requirements  of  a  homomorphism.  This  demrmstrates 
that  is  a  trace  algebra,  as  well  as  showing  that  it  is  isomorphic  to  . 

Let  X  =  {u,t)  be  a  trace  in  Bc'^^{A).  The  obvious  candidate  for  h  is 
h{x)  =  interleave  (a;). 

It  is  straightforw’ard.  but  tedious,  to  show  that  h  is  an  bijection  and  that  it  satisfies  the 
requirements  for  being  a  strong  homomorphism.  The  proof  is  left  as  an  exercise  for  the 
reader. 


□ 

Theorem  4.19.  There  is  a  conservative  approximation  (up  to  isomorphism)  from  to 


Proof.  Since  is  a  power  set  algebra  over  definition  4.2  can  be  used  to  construct 

a  conservative  approximation  from  trace  structures  over  to  trace  structures  over 

This  can  be  used  to  construct  a  conservative  approximation  from  A^'^^  to  A^^^ 
since  is  isomorphic  to 


□ 


4.3  Partial  Traces 

Recall  the  distinction  described  in  section  2.2  between  two  different  kinds  of  behaviors:  com¬ 
plete  behaviors  and  partial  behaviors.  A  complete  behavior  has  no  endpoint;  a  partial  behavior 
has  an  endpoint  and  can  be  a  prefix  of  a  complete  behavior  or  of  another  partial  behavior. 
Complete  traces  and  partial  traces  are  used  to  model  complete  and  partial  behaviors,  respec¬ 
tively.  So  far  we  have  only  considered  trace  algebras  and  trace  structure  algebras  that  contain 
complete  traces  but  no  partial  traces.  In  the  next  several  sections  we  extend  these  algebras  to 
include  partial  traces. 
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4.3.1  Trace  Algebra  with  Partial  Traces 

A  trace  algebra  C  with  partial  traces  includes,  for  each  alphabet,  a  set  of  complete  traces  and  a 
set  of  partial  traces.  In  addition,  a  concatenation  operation  is  included  that  takes  a  partial 
trace  as  its  first  argument  and  a  partial  or  complete  trace  as  its  second  argument.  Besides 
the  axioms  Tl  through  T8  for  trace  algebra  without  partial  traces,  trace  algebra  with  partial 
traces  must  satisfy  axioms  T9  through  Tl9,  which  state  requirements  on  the  concatenation 
operation  and  on  the  effects  of  projection  and  renaming  on  partial  traces. 

Definition  4.20.  A  trace  algebra  with  partial  traces  C  over  W  is  a  5-tuple 

{Be,  Bp,proj,  rename,  •). 

For  every  alphabet  .4  over  \\  ,  Bc{A)  and  Bp{A)  are  non-empty  sets,  called  the  set  of 
complete  traces  and  partial  traces  over  .4,  respectively.  Notice  that  5c(-4)  and  Bp{A) 
are  not  necessarily  disjoint.  Slightly  abusing  notation,  we  also  write  Be  and  Bp  as 
abbreviations: 

Be  =  U{ec(.4):A  is  an  alphabet} 

5^  =  1^  {Bi3(.4)  :  .4  is  an  alphabet}. 

W'e  also  write  B{A)  for  Bc{A)  U  Bp{A)  and  B  for  Be  U  Bp.  For  every  alphabet  B  over 
14  and  every  renaming  function  r  over  W,  proj{B)  and  rename(r)  are  partial  functions 
from  B  to  B.  The  concatenation  operation  is  a  partial  function  from  Bp  x  B  to  B.  The 
axioms  Tl  through  T8  (see  definition  2.7,  p.  26)  must  be  satisfied,  with  each  instance  of 
Be  replaced  by  B  in  the  statement  of  these  axioms.  The  following  axioms  T9  through 
T19  must  also  be  satisfied. 

T9.  For  every  alphabet  A,  if  i  G  Bp{A)  and  y  G  B{A),  then  x  ■  y  is  defined  and  is  an 
element  of  B{A).  If  there  is  no  alphabet  A  such  that  x  G  Bp{A)  and  y  G  B{A). 
then  a;  •  y  is  undefined. 

TlO.  If  a;  •  y  is  defined  and  is  an  element  of  B{A),  then 
y  e  Bc(A)  ^  x-y^Bc{A) 
y  e  Bp(A)  x-y^Bp{A). 


Til.  {x  ■  y)  ■  z  =  X  ■  {y  ■  z). 
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Tl2.  li  X  ■  y  =  X  ■  y',  then  y  =  y' . 

T13.  For  every  alphabet  .4,  there  exists  a  distinguished  element  of  Bp{A)  such  that 
a:  •  =  a:  for  all  a:  e  Bp{A)  and  •  ?/  =  ?/  for  all  y  G  B{A).  Also,  \i  x  -  y  =  sa,  then 

a:  =  and  y  =  €a. 

T14.  U  X  -  y  =  x'  -y',  then  there  exists  z,  z'  G  Bp  and  z”  G  B  such  that  x  ■  z  =  x'  ■  z'  and 
z  ■  z”  =  y. 

T15.  If  2,2'  G  B{A)  and  2  A  2',  then  there  exists  x  and  y  such  that 
X  •  y  —  z  'iy'[x  •  y'  7=  a']  or  x  ■  y  =  z'  A  Vy'[a:  ■  y'  ^  z]. 

TI6.  If  a:  G  B{A)  and  proj(B)(x)  is  defined,  then 
X  G  Bc(A)  proj{B){x)  G  Bc{B) 

X  G  Bp{.A)  =>  proj{B){x)  G  Bp[B). 

Tl7.  For  all  a:,  y  and  a',  x  ■  y  =  pToj{B){z')  iff  there  exists  x'  and  y'  such  that  x  = 
proj{B){x'),  y  =  proj{B){y')  and  x'  ■  y'  =  2'. 

TI8.  If  rename(r)(a:)  is  defined,  then 

X  G  Bc{dom{r))  <77  renarne(r)(a;)  G  5c(codoin(r)) 

X  G  Bp{dom{r))  -77  rename(r)(x)  G  Bp(codoiii(r)). 

T19.  rename(r)(x  ■  y)  =  renarne(r)(a;)  •  renaine(r)(y). 

T9  states  when  concatenation  is  defined.  TlO,  T16  and  T18  state  when  the  results  of  an 
operation  are  partial  or  complete  traces.  Notice  that  if  proj{B){x)  is  a  partial  trace,  then  x 
need  not  be  a  partial  trace.  For  example,  this  can  happen  x  is  an  infinite  sequence  and  5  =  0. 

The  trace  x  ■  y  represents  the  execution  of  x  followed  by  the  execution  of  y.  Given  this 
interpretation  of  concatenation,  it  is  clear  that  concatenation  should  be  associative,  as  required 
by  Til.  TI2  states  that  if  two  behaviors  differ  for  some  suffix,  then  they  are  different  behaviors. 
For  every  alphabet  A,  T13  requires  the  existence  of  a  trace  that  is  analogous  to  the  empty 
string  for  formal  languages. 

Note  4.21.  We  often  write  ^  instead  of  eA  when  A  is  clear  from  context  or  is  independent 
of  A. 
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T14  says  that  if  x  and  x'  are  both  prefixes  of  some  trace  w,  then  there  exists  some  partial 
trace  w'  that  is  a  prefix  of  w  such  that  x  and  x'  are  both  prefixes  of  w'.  T15  says  that  for  any 
two  distinct  traces  ;  and  z',  there  must  exist  a  trace  x  such  that  a:  is  a  prefix  of  2  but  not  of 
2',  or  a  prefix  of  2'  but  not  of  2. 

The  reverse  implication  of  T17  is  equivalent  to  requiring  that  projection  distribute  over 
concatenation.  The  forward  implication  can  be  interpreted  as  follows.  Assume  the  trace 
proj(B)(z'}  can  be  split  into  the  pieces  x  followed  by  y,  i.e.,  x  ■  y  =  proj(B)(z').  Then  the 
trace  2'  can  be  split  into  pieces  x'  and  y'  such  that  x  =  proj[B){x')  and  y  =  pToj{B){y'). 

It  is  natural  for  renaming  to  distribute  over  concatenation,  as  required  by  T19. 

Note  4.22.  We  naturally  extend  the  concatenation  operation  on  traces  to  an  operation  on 
sets  of  traces. 

As  an  example  trace  algebra  with  partial  traces,  we  construct  ,  which  is  an  extension 
of  the  trace  algebra  (without  partial  traces)  formalized  in  definition  2.9.  As  with  C^,  the 
superscript  7  is  a  mnemonic  for  an  (untimed)  interleaving  model.  The  proof  that  is  a  trace 
algebra  is  delayed  until  lemma  4.33  (p.  91). 

Definition  4.23.  We  define  the  trace  algebra  with  partial  traces  as  follows: 

•  The  set  Bc{A)  of  complete  traces  over  an  alphabet  A  is  .4°°  (notice  that  this 
definition  of  5c(A)  is  consistent  with  the  definition  of  Bq{A)  given  for  Cq). 

•  The  set  Bp(A)  of  partial  traces  over  an  alphabet  A  is  .4*. 

•  The  projection  and  renaming  operations  are  the  same  as  in 

•  The  concatenation  operation  is  standard  concatenation  of  sequences. 

Similarly,  can  be  extended  to  include  partial  traces.  Notice  in  the  definition  below 

that  the  set  of  partial  traces  over  an  alphabet  A  is  not  (.4  U  non-empty  sequences  must 

end  with  (p.  This  is  related  to  the  fact  that  partial  traces  in  a  discrete  time  model  must 
represent  a  time  period  that  is  an  integer  number  of  time  units  long. 

Definition  4.24.  We  define  the  trace  algebra  with  partial  traces  as  follows: 

•  The  set  Bc{A)  of  traces  over  an  alphabet  A  is  the  set  of  i  G  (A  U  {p))Y  such  that 
<p  appears  infinitely  often  in  x. 
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•  The  set  Bp{A)  of  partial  traces  over  an  alphabet  A  is 

e  +  (,4uMr(M), 

that  is,  the  empty  sequence  and  all  finite  sequences  over  A  U  {(/?}  that  end  with  (/?. 

•  If  X  G  B{A)  and  B  C  A,  then  proj(B)[x)  is  the  sequence  formed  from  x  by  removing 
every  symbol  a  not  in  5  U  More  formally, 

proj^'^^'^{B){x)  =  proj\B  U 

•  If  X  G  B{A)  and  r  is  a  renaming  function  with  domain  .4,  then  rename(r’)(x)  is  the 
sequence  formed  from  x  by  replacing  every  a  G  A  with  r[a). 

•  The  concatenation  operation  is  standard  concatenation  of  sequences. 

Given  a  trace  algebra  with  complete  traces,  there  are  several  related  trace  algebras  that 
we  can  define,  as  follows. 

Definition  4.25.  Given  a  trace  algebra  C  =  (Be,  Bp,  proj,  rename,  •),  we  use  the  subscripts 
C,  P  and  PC  to  denote  the  trace  algebras 

Cc  =  (Be,  proj,  rename) 

Cp  =  {Bp,  Bp,  pro],  rename,-) 

Cpc  =  {B p,  pro j,  rename). 

Lemma  4.37  (p.  92)  proves  that  Cc,  Cp  and  Cpc  satisfy  the  appropriate  axioms  of  trace 
algebra. 

Typically,  Cc  is  used  when  only  complete  traces  are  of  interest.  We  have  already  seen  an 
example  of  this  notation  with  the  trace  algebras  C^  and  C^.  The  algebras  Cp  and  Cpc  are  used 
when  restricting  to  safety  properties;  using  only  traces  in  Bp  is  analogous  to  using  only  finite 
sequences,  without  infinite  sequences,  to  represent  behaviors. 

We  can  use  the  concatenation  operation  to  define  suffixes  and  prefixes. 

Definition  4.26.  Let  x  G  Bp(.4)  and  Z  C  B{A).  The  functions  su{{x,Z),  pref(Z)  and 
suf(Z)  are  given  by 

suf(x,Z)  =  {y  e  B(A)  :  X  ■  y  e  Z} 
pref(Z)  =  {x  G  Bp(A)  :  suf(x,Z)  ^  0} 
suf(Z)  =  U  suf(x,  Z). 

xepref(Z) 
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Definition  4.27.  We  say  A'  is  prefix-closed  iff  pref{X)  C  A". 

Note  4.28.  li  x  e  B,  we  sometimes  write  pref{x)  to  denote  pref({2:}).  Similarly  for  suf{x). 

The  remainder  of  this  section  proves  the  claims  made  above,  and  proves  some  additional 
results  about  trace  algebras  with  partial  traces.  It  may  be  skipped  on  first  reading. 

We  begin  with  some  simply  corollaries  that  follow  immediately  from  the  axioms  of  trace 
algebra. 

Corollary  4.29. 

1.  By  T17,  proj{B){x)  ■  proj{B){y)  =  proj{B){x  •  y). 

Sy  T13  and  Tlo  (with  =  e^),  if  2  ^  B(.4)  is  not  equal  to  then  there  exists  x 
and  y  such  that  x  ■  y  =  z  and  x  ^  e^. 

We  also  prove  some  simple  corollaries  related  to  suffixes  and  prefixes. 

Corollary  4.30. 


suf{x,  X  U  1”) 

=  suf(i.  A')  U  su/(x,  F), 

pref{X  U  Y) 

=  pref(A’’)  L  pref(l'). 

suf(X  U  Y) 

=  suf(A’’)  U  suf  (!''). 

Corollary  4.31.  If  A”  C 

Y,  then 

suf(x,X)  C 

suf{x,Y), 

pref{X)  C 

pref{Y), 

suf{X)  C 

suf{Y). 

Corollary  4.32. 

1. 

By  T13,  if  Z  ^ 

0,  then  €  €  pref(Z). 

2. 

By  Tl3,  (Z  n  Bp)  C  pref(Z). 

3. 

By  item  1,  Z  C 

suf(Z). 

4. 

By  Til,  suf{x, 

suf{y,X))  =  suf{y  •  x,A'). 
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5.  By  T6,  T7  and  T19,  renaine(r)(su/(x, A"))  =  suf(renaine(r)(x),renaine(r)(X)). 

We  must  also  prove  our  claim  that  is  a  trace  algebra. 

Lemma  4.33.  is  a  trace  algebra  with  partial  traces. 

Proof.  To  show  that  is  a  trace  algebra  with  partial  traces,  we  must  show  that  it  satisfies 
T1  through  T19.  Axioms  T1  through  T8  hold  since  Cq  is  a  trace  algebra  without  partial 
traces  and  =  Bq.  T9.  TIO,  T16  and  T18  are  easy  to  verify.  Til  and  T12  are  a  basic 
ptoperties  of  concatenation  of  finite  and  infinite  sequences.  The  of  T13  is  just  the 
empty  sequence  e,  for  every  alphabet  .4.  T19  is  also  easy  to  show.  All  that  remains  is 
T14.  T15  and  Tl7. 

Lemma  4.34.  satisfies  Tl4. 

Proof.  Assume  x-y  =  x'  -y':  we  must  show  that  there  exists  partial  traces  z  and  z'  such 
that  X.  ■  z  ^  x'  •  There  is  no  loss  of  generality  in  assuming  that  Jen(x')  <  Jeii(x). 
Let  z  5=  e.  By  our  assumptions,  the  length  of  y'  must  be  at  least  Jeii(x)  —  len(x'). 
Let  z'  be  the  prefix  of  y'  that  has  length  len{x)  —  ien(i').  Both  z'  and  z  are  of  finite 
length,  so  they  are  partial  traces.  It  is  easy  to  check  that  x'  •  z'  =  x  •  z.  Let  z"  =  y\ 
clearly  z  •  z"  y. 

□ 

Lemma  4.35.  C^‘  satisfies  T15. 

Proof.  Assume  z  and  z'  are  distin'-’t  ek  menls  of  B{  A).  If  z  and  z'  have  diiferent  lengths, 
then  there  is  no  lof-s  of  generality  in  assuming  that  z'  is  the  shorter  of  the  two.  In 
this  case,  z'  must  have  finite  length,  say  n,  and  z  must  have  a  length  of  at  least 
n  +  1.  T15  is  satisfieo  by  leitiisg  x  hr  v.h'*  length  /i  +  1  prefix  of  z. 

If  z  and  z'  have  the  same  ci.gth  ri,  then  there  must  exist  a  k  <  n  such  that 
z{k)  ^  z’{k).  T15  is  satisfied  by  letting  x  be  the  length  k  +  I  prefix  of  either  z  or 


□ 
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Lemma  4.36.  satisfies  T17. 

Proof.  The  reverse  implication  of  T17  is  equivalent  to 
proj(B)(x'  •  y')  =  proj(B)(x')  ■  proj{B){y'), 

which  follows  easily  from  the  definition  of  proj. 

To  prove  the  forward  implication,  let  B  ^  A.  We  consider  the  case  where  z'  is 
a  finite  length  sequence;  the  generalization  to  the  infinite  case  is  straightforward. 
There  is  no  loss  of  generality  in  assuming  that 

where  b,  ^  B  and  s-  G  (.4  —  B)*.  II  x  ■  y  =  proj(B)(z'),  then  there  must  exist  a  k 
such  that 

x  =  bo---bk-i  and  = 

Therefore,  it  is  sufficient  to  let  x'  and  y'  be  such  that 

X  =  Xq^o  •  •  •  Xi^_ibk-i 

y'  = 


□ 

Next  we  prove  the  claim  made  in  definition  4.25  about  the  existence  of  trace  algebras  Cc. 
Cp  and  Cpc,  given  a  trace  algebra  with  complete  traces  C. 

Lemma  4.37.  If  C  =  (Be,  ^p, proj,  rename,  •)  is  a  trace  algebra  with  partial  thzn 

Cc  —  (Be,  pro],  rename) 

Cp  =  (Bp,  Bp,  proj,  rename,-) 

Cpc  =  (Bp,  proj,  rename), 

are  trace  algebras. 

Proof. 

Lemma  4.38.  Cc  is  a  trace  algebra  without  partial  traces. 
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Proof.  Since  C  satisfies  T16  and  T18,  Cc  is  closed  under  projection  and  renaming.  We 
must  show  that  Cc  satisfies  T1  through  T8.  Except  for  T4,  all  of  these  axioms 
obviously  remain  true  when  traces  are  removed  from  the  domain.  To  prove  T4,  let 
X  €  Bc{A)  and  x'  G  Bc{A')  be  such  that  proj{A  .4')(a:)  =  proj{A  n  .4')(i'),  and 
let  A"  be  an  alphabet  such  that  A  U  A'  C  A" .  Since  C  scatisfies  T4,  there  exists 
€  Bc{A")  U  Bp{.A")  such  that  x  =  proj{A){x")  and  x'  —  proj{A'){x'').  We  must 
show  that  x”  G  Bc{A''),  which  is  true  since  x  G  Bc{A),  x  =  proj(A)(x")  and  C 
satisfies  T16. 


□ 


Next  we  must  show  that  Cp  is  a  trace  algebra  with  partial  traces.  Since  C  satisfies 
TIO,  T16  and  T18,  Cp  is  closed  under  concatenation,  projection  and  renaming.  We  must 
show  that  Cp  satisfies  T1  through  T19.  The  next  lemma  shows  that  Cp  satisfies  T4;  the 
remaining  axioms  are  handled  in  a  later  lemma. 

Lemma  4.39.  Cp  satisfies  T4. 

Proof.  To  prove  T4,  let  xq  €  Bp(A)  and  xj,  G  Bp(A')  be  such  that  proj(A  H  -4')(a3o)  = 
proj(.4n  and  let  A"  be  an  alphabet  such  that  A\J  A'  C  A".  We  must  show 

that  there  exists  x"  G  Bp{A")  such  that  Xq  =  proj(A)(xg)  and  Xg  -  proj(A')(Xg). 

Since  C  satisfies  T4,  there  exists  w"  G  B(.4'')  such  that  Xq  =  proj(.4)(w")  and 
2=0  =  proj(A')(w"). 

Since  C  satisfies  T13,  Xq  •  =  proj(A)(w'')  and  x[,  •  =  proj(A')(w'').  Since  C 

satisfies  T17,  there  exists  Xi  G  Bp(A")  and  G  Bc(.4'')  J  Bp(A")  such  that  Xq  = 
proJ(A)(xi).  =  proj(.4)(yi)  and  Xj  -yi  =  w".  Similarly,  there  exists  xj  G  Bp{A") 
and  y[  G  Bc{A")  i)  Bp{A'’)  such  that  x'g  =  proj(A')(x[),  €a'  =  proj{A'){y[)  and 
xj  •  yj  =  w". 

Notice  that  Xi  •  yj  =  xj  •  yj.  Since  C  satisfies  T14,  there  exists  2i,2j  G  Bp{A") 
and  z"  G  B{A)  such  that  Xi  •  zC  =  xj  •  zj  and  Zi  ■  z"  =  yi.  Notice, 

2l  •  2”  -yi  231  ■  (21  •  z")  =  Xi  •  yi 

since  C  satisfies  Til 
(a:i  •  zi)  •  zj' =  xi  •  yi 

since  Xj  •  yi  =  xj  •  yj  and  Xi  •  Zi  =  xj  •  zj 
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^  (a:i  •<)•<  =  -yl 

since  C  satisfies  Til 

^  ^1  ij  ii\  t  I 

<=>  •  (x-j  •  )  —  3^1  •  J/j 

since  C  satisfies  T12 


Also, 

zi-z'l  =  yi  ^  proj{A){zi  ■  z")  =  proj{A){y^) 
since  proj{A){y^)  =  ca 
^  proj(-4)(zi  •  z")  =  Ca 
since  C  satisfies  T17 
<=>  DToj{A){z^ )  •  pToj{A){z")  = 
since  C  satisfies  T13 
^  proj(A)(zi)  =  e^. 

Similarly,  proj{A'){z[)  =  e^,. 

Let  Xq  =  Ij  •  2i;  notice  that  x"  €  Bp{A"). 
proj(A)(i")  =  proj{A){xi  •  zi) 
since  C  satisfies  T17 
=  P^oj{A){xi)  •  proj(A)(2i)) 
since  Iq  =  proj(A)(xi)  and  sa  =  proj{A){zi) 

=  Zio  ■  (.A 

since  C  satisfies  T13 

=  Xq. 

Similarly,  proj(A')(xQ)  =  Xg.  Therefore,  Xg  has  the  properties  needed  to  show  that 
Cp  satisfies  T4,  since  x"  e  Bp(A"),  xq  =  proj(A)(x")  and  x'g  =  proj(A')(x"). 


Lemma  4.40.  Cp  is  a  trace  algebra  with  partial  traces. 
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Proof.  As  mentioned  earlier,  Cp  is  closed  under  concatenation,  projection  and  renam¬ 
ing.  We  must  show  that  Cp  satisfies  Tl  through  T19.  Clearly  Tl,  T2  and  T3  remain 
true  when  traces  are  removed  from  the  domain.  The  previous  lemma  showed  that 
Cp  satisfies  T4. 

Clearly  T5,  T6,  T7  and  T8  remain  true  when  traces  are  removed  from  the 
domain.  To  prove  T9,  we  must  show  that  for  all  x,y  in  Bp,  x  •  y  \s  defined  iff 
there  exists  an  alphabet  such  that  x  e  Bp{A)  and  y  €  Bp{A).  This  follows  since  C 
satisfies  T9.  Since  C  satisfies  T9  and  TlO,  both  sides  of  both  iffs  in  TlO  for  Cp  are 
identically  true,  so  TlO  holds. 

Clearly  Til,  T12,  T13  and  T14  remain  true.  Since  C  satisfies  TlO,  the  x  and  y 
in  T15  must  be  elements  of  Bp,  so  T15  remains  true. 

Since  C  satisfies  Tl  and  TlO,  both  sides  of  the  iff  and  the  implication  in  TlO 
for  Cp  are  identically  true,  so  TlO  holds.  Since  C  satisfies  TlO,  the  x'  and  y'  in  T17 
must  be  an  elements  of  Bp,  so  T17  remains  true. 

Since  C  satisfies  T5  and  T18,  both  sides  of  both  iff ’s  in  T18  for  Cp  are  identically 
true,  so  T18  holds.  Clearly  T19  remains  true. 


□ 

Lemma  4.41.  Cpc  is  a  trace  algebra  without  partial  traces. 

Proof.  Let  C  —  Cp.  By  the  previous  two  lemmas,  C  and  C'^  are  trace  algebras.  There¬ 
fore,  Cpc  is  a  trace  algebra,  since  Cpc  =  C^. 

□ 


□ 

The  final  result  of  this  section  shows  that  traces  can  be  characterized  by  their  set  of  prefixes. 
We  will  use  this  result  when  restricting  models  to  represent  only  safety  properties. 

Theorem  4.42.  For  some  trace  algebra  C  =  {Be,  Bp,  proj,  rename,  ■)  and  some  alphabet  .4, 
let  z  and  z'  be  elements  of  B{A).  Then 

z  =  z  pref{z)  —  pref{z'). 
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Proof.  The  forward  implication  is  obvious.  To  prove  the  reverse  implication,  assume  that  r 
and  z'  are  distinct  elements  of  B{A).  By  T15,  there  exists  x  and  y  such  that 

X  ■  y  =  z  ^\/y’[x  ■  y' ^  z']  or  x  ■  y  =  z' AVy'[x  ■  y' z]. 

Therefore, 

X  e  pref{z)  A  X  ^  pref{z')  or  x  e  pref(z')  A  x  ^  pref( z). 


□ 

4.3.2  Restricting  to  Safety  Properties 

It  is  common  to  restrict  a  verification  technique  to  handle  only  safety  properties,  since  this 
can  be  computationally  more  efficient  than  handling  full  liveness  properties.  If  traces  are 
sequences,  then  this  is  just  a  matter  of  restricting  to  prefix-closed  trace  structures  with  only 
finite  sequences.  We  generalize  this  idea  to  arbitrary  traces,  as  follows. 

Definition  4.43.  Given  a  trace  algebra  C  —  (Be,  Bp,  proj,  rename,  ■),  we  use  the  subscript 
PC  to  denote  the  trace  structure  algebra, 

Apc^iCpcT), 

where  T  is  the  set  of  all  prefix-closed  trace  structures  over  Cpc  (see  def.  4.25.  p.  89).  4 
trace  structure  T  =  (7,/^)  over  Cpc  is  prefix-closed  iff  pTef(P)  C  P.  Lemma  4.44  proves 
that  Apc  is  a  trace  structure  algebra. 

For  an  arbitrary  trace  algebra  C  with  partial  traces,  it  is  possible  to  construct  a  conservative 
approximation  from  trace  structures  over  Cc  to  Apc-  We  do  this  by  using  an  isomorphism 
based  on  identifying  a  single  trace  in  Cc  with  its  set  of  prefixes  (each  prefix  is  a  trace  in  Cpc)- 
The  result  is  a  power  set  algebra  over  Cpc  that  is  isomorphic  to  Cc,  which  can  be  used  to 
construct  a  conservative  approximation  induced  by  a  power  set  algebra.  The  approximation 
is  only  useful  for  verification  if  the  specification  does  not  include  any  liveness  properties; 
otherwise  a  false  negative  will  result  (assuming  the  implementation  satisfies  its  specification). 
The  remainder  of  this  section  proves  these  claims. 

.nma  4.44.  If  C  is  a  trace  algebra  with  partial  traces,  then  Apc  (as  in  def.  4.43)  is  a  trace 
structure  algebra. 
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Proof.  Let  T'  be  the  set  of  all  trace  structures  over  Cpc-  By  theorem  2.27,  {Cpc,T')  is  a 
trace  structure  algebra. 

For  all  alphabets  B,  let  C{B)  be  the  class  of  all  prefix-closed  sets  of  traces  of  Bp[B). 
Let 


T"  =  {T  eV  -p  e  C{A)}. 

It  is  easy  to  check  that  C[B)  satisfies  Ll  through  L4.  Thus,  by  theorem  2.30.  since 
{Cpc,T')  is  a  trace  structure  algebra,  so  is  {Cpc,T").  Notice  that  T"  is  equal  to  T. 
Therefore,  Apc  =  [Cpc.T)  is  a  trace  structure  algebra. 


Definition  4.45.  Given  a  trace  algebra  C  =  (Sc,  Bp,  proj,  rename,  •),  we  use  the  subscript 
CjP  to  denote  the  trace  algebra, 

Cc/p  =  (B c/p,  pro j,  rename), 


where 

Bc/p{A)  =  {pref{x)  :  x  €  Bc{A)}, 

and  proj  and  rename  are  naturally  extended  to  sets  of  traces.  Lemma  4.46  (below) 
proves  that  Cq/p  is  a  trace  algebra  and  is  isomorphic  to  Cc- 

Notice  that  Cc/p  is  a  power  set  algebra  (definition  4.1)  over  Cpc- 

Lemma  4.46.  If  C  is  a  trace  algebra  with  partial  traces,  then  Cc/p  (as  in  def.  4.45)  is  a  trace 
algebra.  Also,  Aa:[pref({a:})]  is  an  isomorphism  from  Cc  to  Cc/p- 

Proof.  By  theorem  4.42,  the  function  Ax[pref({x})]  is  an  alphabet  preserving  bijection  from 
Be  to  Bc/p-  All  that  remains  is  to  show  that  it  satisfies  the  homomorphism  laws  for  proj 
and  rename. 


pref{{proj{B){z')}) 

=  {x  :  3y[x  ■  y  =  proj{B){z’)]}  ■ 
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since  C  satisfies  T17 
=  {x  :3y[3x',y'[ 

x  -y'  =  z'  Ax  =  proj{B){x')  Ay  ^  proj{B){y')]]} 
since  3y[y  =  proj{B){y')]  for  all  y'  €  Bc{B) 

=  {a:  :  3x',y'[x'  ■  y'  =  z'  A  x  =  pToj{B){x')]} 
by  definition  of  the  natural  extension  of  proj(B) 

=  proj{B){{x'  :  3y'[x’  ■  y  =  2']}) 

Also, 

pref({rename(r)(2')}) 

=  {x  :  3y[x  ■  y  =  rename(r)(2')]}’ 
since  C  satisfies  T6  and  T7 
=  {a:  :  3t/frename(r“^ )(a;  •  y)  =  2']} 
since  C.  satisfies  Tl9 

=  {1  :  3y[rename(r“^)(i)  •  renaine(r"*)(y)  =  2']} 
since  C  satisfies  T6  and  T7 
=  {renarne(r)(3;^)  ;  3y'[x  •  y  =  2^]} 

=  renarne(r)(pref({2'})). 


□ 

Now  we  can  construct  a  conservative  approximation  from  trace  structures  over  Cc  to  trace 
structures  over  Cpc  by  using  Cap,  which  is  isomorphic  to  Cc  and  is  a  power  set  algebra  over 
Cpc-  The  upper  bound  9'u(T)  is  simply  the  result  of  composing  the  isomorphism  with  the 
upper  bound  of  the  standard  conservative  approximation  induced  by  Ccip-  The  lower  bound 
^((T)  is  equal  to  '^u{T)  when  T  has  no  liveness  properties;  otherwise,  it  is  equal  to  the  empty 
trace  structure. 

Theorem  4.47.  Let  C  be  a  trace  algebra  with  partial  traces,  and  let  Ac  =  {Cc,Tc)  be-  a 
trace  structure  algebra,  where  Tc  is  the  set  of  all  trace  structures  over  Cc-  Let  and 
be  functions  from  trace  structures  T  =  {'f,P)  in  Ac  to  trace  structures  in  Apc  such 
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that  ^'u(T)  =  (7,PJ  and  ^i{T)  =  (7,P/),  where 


K  =  pref{P) 

j  pref(P),  if  [x  e  Bc{A)  A  pref({x})  C  pref(P)]  =>  x  e  P, 
~  I 

I  0  otherwise. 

Then  is  a  conservative  approximation  from  Ac  to  Apc- 


Proof.  Let  Ac/p  =  {Cc/Pi  '^c/p)  be  a  trace  structure  algebra,  where  Tc/p  is  the  set  of  all  trace 
structures  over  Cc/p-  By  lemma  4.46,  Cq/p  is  isomorphic  to  Cc,  so  by  corollary  2.40,  Ac 
is  isomorphic  to  Ac/p-  The  isomorphism  from  Ac  to  Ac/p  is  the  function  H  such  that 

^((t.-P))  =  (7,{pref({i})  :  x  G  P}). 


We  show  that  is  a  conservative  approximation  from  Ac  to  Apc  by  first  constructing 
a  conservative  approximation  from  Ac/p  to  Apc,  and  then  showing  that  is  equal 
to  composed  with  H . 

Let  and  be  functions  from  trace  structures  T  =  (7,P)  in  Ac/p  to  trace  struc¬ 
tures  in  Apc  such  that  %{T)  =  (7,P,^)  and  ^i{T)  =  (7,P/),  where 


PL 

PI 


UP 

[UP,  if  [x  €  Pc(-4)  Ai  C  UP]  I  e  P; 


1 0  otherwise. 

It  is  easy  to  check  that  is  a  conservative  approximation  from  Ac/p  to  Apc 

induced  by  the  power  set  algebra  Cc/p-  It  is  also  easy  to  check  that 


$„(r)  =  K{H{T)) 
^i{T)  =  nffim 


where  H  is  the  isomorphism  from  Ac  to  Ac/p  described  above.  Thus,  is  a  conservative 
approximation  from  Ac  to  Apc- 


□ 
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4.3.3  Trace  Structure  Algebra  with  Partial  Traces 

If  T  is  a  trace  structure  and  x  c  pre/(P),  then  x  represents  a  partial  behavior  that  is  a  prefix 
of  some  complete  behavior  of  T.  After  T  executes  x,  we  might  say  that  T  has  changed  Ir 
a  different  state.  It  is  often  useful  to  think  of  each  state  of  an  agent  as  being  a  differeni 
agent  [76].  With  this  in  mind,  we  might  say  that  T  becomes  a  different  agent  after  executing 
X.  We  define  the  function  sul  on  trace  structures  so  that  we  can  write  suf{x,T)  to  denote  the 
agent  that  T  becomes  as  a  result  of  executing  x. 

Definition  4.48.  If  C  =  {Be ,Bp,proj,rena,me,  ■)  is  a  trace  algebra  with  partial  traces  and 
T  is  a  subset  of  the  trace  structures  of  Cc  (recall  that  Cc  =  {Be .  proj.  rena-me).  as 
described  in  definition  4.25),  then  A  =  {G,T)  is  a  trace  structure  algebra  with  partial 
traces  iff  the  domain  T  is  closed  under  the  following  operations  on  trace  structures: 
parallel  composition  (def.  2.18),  renaming  (def.  2.20),  projection  (def.  2.19)  and  suffixing 
(def.  4.49). 

For  trace  structure  algebras  with  partial  traces,  the  operations  of  parallel  composition, 
renaming  and  projection  on  trace  structures  are  defined  exactly  the  same  as  they  were  for 
trace  structure  algebras  without  partial  traces.  Thus,  they  form  a  concurrency  algebra. 

Definition  4.49,  suf{x,T)  =  {■y,suf{x,P)),  where  x  €  pre{{P). 

The  operation  of  suffixing  is  clearly  monotonic  with  respect  to  trace  structure  containment. 
Also,  the  following  propositions  involving  suffixing  are  satisfied: 

suf{eA,T)  =  T 

sul{x.  suf{y,  T))  =  suf{y  ■  x.T) 

su{{x,T  ii  T')  =  suf{proj{A){x),T)  ||  suf{proj{A'){x).T') 
proj{B){suf{x,T))  C  suI{proj{B){x),proj{B){T)) 
renanie{r){suf{x,T))  =  su/(renarae(r)(x),renarae(r)(T)). 

The  remainder  of  this  section  proves  these  results. 
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Theorem  4.50.  If  T  and  T'  are  trace  structures,  then 
suf(e^,r)  =  T 

suf{x,su{{y,T)  =  su{{y  •  x,T) 

suf{x,T  II  T')  =  suf{proj{A){x),T)  ||  suf{proj{A’){x),T') 
proj{B){su{{x,T))  C  su{{proj{B){x),proj{B){T)) 
rename{r){suf{x,T))  =  su/(renaiije(r)(a:),rename(7’)(T)). 

In  all  of  the  relationships,  there  is  an  implicit  assumption  that  the  left  hand  side  of  the 
equation  or  inequality  is  defined. 

Proof.  The  first  identity  follows  easily  from  T13  and  the  second  follows  from  corollary  4.32.4. 
The  remaining  propositions  are  proved  in  the  following  lemmas. 

Lemma  4.51.  If  x  €  pre{{P  0  P'),  then 

suf(x,r  II  r')  =  suf{proj{A){x),T)  ||  suf{pToj{A'){x),T'). 

Proof.  Let  Ti  =  su{{x,T  ||  T')  and  let 

T2  =  suf{proj{A){x),T)  II  suf(proj(>l')(i),r'). 

We  must  show  that  Pi  =  P2. 

Pi  =  suf (x,  {y  e  Bc{Ai)  :  proj{A){y)  6  P  A  proj{A'){y)  €  P'}) 

=  {z  e  Bc{Ai)  :  proj(^)(x  •  z)  6  P  A  proj{A'){x  ■  z)  €  P'} 
by  corollary  4.29.1 

=  {26  Bc{Ai)  :  proj{A){x)  •  proj{A){z)  €  P 
A  proj{A'){x)  ■  proj{A'){z)  6  P'> 

=  {26  Bc{Ai)  :  proj{A){z)  6  suf{proj{A){x),P) 

Aproj{A'){z)  €  suf{proj{A'){x),P')} 

=  P2. 


□ 
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Lemma  4.52.  If  x  G  pref{P)  and  B  C  A,  then 

proj{B){suf{x,T))  C  suf{proj(B){x),proj{B){T)). 

Proof.  Let  Ti  =  proj{B)(suf(x,T))  and  let 
Ta  =  suf{proj{B){x),proj{B){T)). 

We  must  show  that  Pi  C  Pj- 

Pi  =  proj{B){suf{x,P)) 

=  proj{B){{y  :x-y  e  P}) 

=  {proj{B){y)  :  X  ■  y  e  P} 

C  {pToj{B){y)  :  proj{B){x  ■  y)  G  proj{B){P)} 
by  corollary  4.29.1 

=  {proj{B){y)  :  proj{B){x)  •  pToj{B){y)  G  proj{B){P)} 
=  {proj{B){y)  :  proj{B){x)  •  proj{B){y)  G  proj{B){P)} 
C  {y'  :  proj{B){x)  •  i/'  G  proj{B){P)} 

=  suf{proj{B){x),proj{B){P)) 

=  P2. 

□ 

Lemma  4.53.  If  x  G  pref{P),  then 

rename(7’)(suf(x,T))  =  su/(rename(r)(x),rename(r)(T)). 

Proof.  Let  Tj  =  rename{r){suf{x,T))  and  let 

Ta  =  suf(renarne(r)(x),  rcnanie(r)(r)). 

We  must  show  that  Pi  =  Pa- 

Pi  =  rename(r)(suf(x,P)) 

=  {rename(7’)(y)  :  x  -  y  G  P} 
by  T6  and  T7 

=  {rename(r’)(y)  :  rename(r)(x  •  y)  G  rename(r)(P)} 
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by  T19 

=  {renanie{r){y)  :  rename(r)(a;)  ■  rename(r)(y)  G  reiiame(r)(P)} 
by  T6  and  T7 

=  {2  :  rename(r)(x)  •  2  €  renaine(r)(P)} 

=  suf(rename(r)(x),  renaine(r)(P)) 

=  P2. 


□ 


4.3.4  Constructing  Trace  Structure  Algebras  with  Partial  Traces 

The  definition  of  a  trace  structure  algebra  with  partial  traces  A  =  (C,T)  requires  that  the  set 
of  trace  structures  T  be  closed  under  the  operations  on  trace  structures,  including  suffixing. 
This  section  proves  three  theorems  that  make  it  easier  to  prove  closure,  and  shows  how  to 
use  these  theorems.  The  theorems  are  straightforward  extensions  of  analogous  results  already 
proved  for  trace  structure  algebras  without  partial  traces  (section  2.3.3,  p.  39). 

The  first  theorem  states  that  if  T  is  equal  to  the  set  of  all  trace  structures  over  C,  then  T  is 
closed  under  the  operations  on  trace  structures,  so  .4  is  a  trace  structure  algebra  with  partial 
traces;  which  is  analogous  to  theorem  2.27.  Recall  that  the  alphabet  of  a  trace  structure  need 
not  be  a  finite  set.  The  second  theorem  shows  that  trace  structures  with  finite  alphabets  are 
closed  under  the  operations  on  trace  structures;  which  is  analogous  to  theorem  2.28. 

For  the  third  theorem,  let  (C,T)  be  a  trace  structure  algebra  with  partial  traces,  where 
T  is  some  subset  of  the  set  of  traces  structures  over  Cc-  For  every  alphabet  B,  let  jC(B)  be 
a  class  of  sets  of  complete  traces  over  B,  that  is,  C[B)  C  Assume  that  C  is  closed 

under  intersection,  renaming,  projection,  inverse  projection  and  suffixing  by  prefixes  (this  is 
formalized  below).  Let  T'  be  the  set  of  trace  structures  (7,P)  €  T  such  that  P  is  in  C[A). 
Then  T  is  closed  under  the  operations  on  trace  structures,  so  (C,  T^)  is  a  trace  structure 
algebra  with  partial  traces.  This  is  analogous  to  theorem  2.30. 

Recall  that  is  the  set  of  all  trace  structures  over  C^-  By  the  first  theorem,  =  (C^,  T^) 
is  a  trace  structure  algeb’ra  with  partial  traces.  Recall  that  is  the  set  of  aU  trace  structures 
(7,P)  over  Cq  for  which  7  has  a  finite  alphabet  and  P  is  a  mixed  regular  set  of  sequences  (that 
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is,  P  is  the  union  of  a  regular  set  and  an  a>-regular  set).  By  the  second  and  third  theorems, 
is  also  a  trace  structure  algebra  with  partial  traces. 

The  remainder  of  this  section  formalizes  these  results. 

Theorem  4.54.  If  C  is  a  trace  algebra  and  'T  is  the  set  of  all  of  the  trace  structures  over  C,  then 
T  is  closed  under  the  operations  on  trace  structures  (parallel  composition,  projection, 
renaming  and  suffixing),  so  .A  =  (C,T)  is  a  trace  structure  algebra  with  partial  traces. 

Proof.  Simple  extension  of  theorem  2.27  (p.  39). 

□ 

Theorem  4.55.  Let  A  =  (C,T)  be  a  trace  structure  algebra  with  partial  traces.  Let  T'  be 
the  set  of  trace  structures  T  e  T  such  that  the  alphabet  of  T  is  a  finite  set.  Then 
A'  =  {C,T')  is  a  trace  structure  algebra  with  partial  traces. 

Proof.  Simple  extension  of  theorem  2.28  (p.  39). 

□ 

Theorem  4.56.  Let  A  =  {C,T)  be  a  trace  structure  algebra  with  partial  traces.  For  every 
alphabet  B  of  T,  let  C{B)  be  a  subset  of  Let  T'  be  the  set  of  trace  structures 

T  E  T  such  that  P  is  in  C{A).  Then  A'  =  {C,T')  is  a  trace  structure  algebra  with 
partial  traces  if  LI  through  L5  are  satisfied  for  every  alphabet  B  oi  T  (LI  through  L4 
are  given  on  p.  40). 

L5.  If  X  6  C{B)  and  x  £  pref{X),  then  suf(x,X)  S  C{B). 

Proof.  Simple  extension  of  theorem  2.30  (p.  40). 

□ 

Definition  4.57.  We  define  A^  to  be  the  ordered  pair  [C^ ,T^)\  recall  that  is  the  set  of 
all  trace  structures  over  (definition  2.31).  By  theorem  4.54,  A^  is  a  trace  structure 
algebra. 

Definition  4.58.  Recall  that  is  the  set  of  all  trace  structures  T  =  (7,P)  over  for 
which  7  has  a  finite  alphabet  and  P  is  a  mixed  regular  set  of  sequences  (definition  2.32). 
We  define  A^^  to  be  the  ordered  pair  (C^,T^^).  Showing  that  A^^  is  a  trace  structure 
algebra  with  partial  traces  is  a  simple  extension  of  the  proof  that  A^  is  a  trace  structure 
algebra  without  partial  traces  (theorem  2.33). 
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4.4  InveiZ' s  of  Conservative  Approximations 

Let  ^  be  a  conservative  approximation  from  Ac  =  {Cc,T)  to  A!q  =  {C'cT').  Let 

T  ^  T  and  T'  G  T'  be  such  that  T'  =  ^^(T).  As  we  have  discussed,  T'  represents  a  kind 
of  upper  bound  on  T.  It  is  natural  to  ask  whether  there  is  a  trace  structure  in  T  that  is 
represented  exactly  by  T'  rather  than  just  being  bounded  by  T'.  If  no  trace  structure  in  T 
can  be  represented  exactly,  then  is  abstracting  away  too  much  information  to  be  of  much 
use.  If  every  trace  structure  in  T  can  be  represented  exactly,  then  $ j  and  are  equal  and  are 
isomorphisms  from  Ac  to  These  extreme  cases  illustrate  that  the  amount  of  abstraction 
in  $  is  related  to  what  trace  structures  T  are  represented  exactly  by  ^u(T)  and 

To  formalize  what  it  means  to  be  represented  exactly  in  this  context,  we  define  the  inverse 
of  the  conservative  approximation  Normal  notions  of  the  inverse  of  a  function  are  not 
adequate  for  this  purpose,  since  is  a  pair  of  functions.  We  handle  this  by  only  considering 
those  T  G  T  for  which  and  have  the  same  value,  call  it  T'.  Intuitively,  T' 

represents  T  exactly  in  this  case;  the  key  property  of  the  inverse  of  $  (written  is  that 
^inv{T')  =  T.  If  ^i{T)  ^u{T),  then  T  is  not  represented  exactly  in  A'q.  In  this  case,  T 

is  not  in  the  image  of  Characterizing  when  '4'i„,(T')  is  defined  i^and  what  its  value  is) 

helps  to  show  what  trace  structures  in  T  can  be  represented  exactly  (not  just  conservatively) 
by  trace  structures  in  T'.  The  remainder  of  this  section  formalizes  the  idea  of  the  inverse 
of  a  conservative  approximation,  and  characterizes  the  inverse  of  the  tightest  conservative 
approximation  induced  by  a  homomorphism  h. 

Lemma  4.59.  Let  =  ('^;,'^u)  be  a  conservative  approximation  from  Ac  =  {Cc,T)  to 
A'c  =  {C'cT').  For  every  T'  G  T',  there  is  at  most  one  T  ^  T  such  that  ^i{T)  =  T'  and 

«'„(r)  =  r. 

Proof.  The  proof  is  by  contradiction.  Assume  there  exists  two  distinct  Ti  and  T2  in  T  such 
that  ^j(Ti),  ^u(Ti),  '^i(r2)  and  '^u(T2)  are  all  equal  to  T'.  This  implies  ^u(Ti)  C  ^i{T2) 
and  ^u(T2)  C  $;(Ti).  Thus,  by  the  definition  of  a  conservative  approximation,  Ti  C  T2 
and  T2  C  Tj.  Therefore,  Ti  =  T2,  which  is  a  contradiction. 

□  . 

Definition  4.60.  Let  ^  =  ($;,$„)  be  a  conservative  approximation  from  Ac  =  {Cc,T)  to 
Ale  =  {C'cT').  Let  T  be  the  set  of  T  G  T  such  that  ^i{T)  =  %{T).  Let  T(  be  the 
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image  of  Tj  under  The  inverse  of  $  is  the  partial  function  9inv  with  domain  T 
and  codomain  T  that  is  defined  for  all  T'  €  T{  so  that  '^ir,„{T')  =  T,  where  T  is  the 
unique  (by  lemma  4.59  and  the  definition  of  T{)  trace  structure  such  that  ^i{T)  =  T 
and  =  T. 

Theorem  4.61.  Let  h  be  a  trace  algebra  homomorphism  from  Cc  to  C'q,  and  let 

be  the  tightest  conservative  approximation  induced  by  h  from  Ac  =  {Cc,T)  to  A'^  = 
(C^,T').  If  T'  €  T'  is  such  that  the  set 

Z  =  {XC  BciA')  :  (7',.Y)  G  T  a  h(X)  C  p'}, 

contains  a  unique  maximal  (by  inclusion)  element  P  for  which  P'  =  h(P),  then 
’®'tnii(T')  =  (7',P);  otherwise,  $,„,(r')  is  undefined. 

Proof.  Let  T  €  T  have  the  same  signature  7  as  T',  and  let 

y  -  IJ{X  C  Bc{A)  ;  (7, A')  €TAh{X)  C  h{P)}. 

Notice  that  P  C  Y,  since  T  Q  T.  Consider  the  following  sequence  of  logical  equivalences: 
^.•n.(r')  =  T 

by  the  definition  of  the  inverse  of 

^„(r)  =  r  A  ^i{T)  =  r 

by  the  definition  of  $ 

h{P)  =  P'  A  y  -  P  =  0 
since  P  C  Y 

<=>  h{P)  =  p'  A  P  =  y 
by  the  definition  of  Y  and  Z 
h{P)  =  P'  A  P  =  UZ 
since  T 

<=>  h{P)  =  P'  A  P  =  UZ  A  P  €  Z, 

which  is  true  iff  Z  contains  a  unique  maximal  element  P  for  which  P'  =  h[P).  The 
reverse  implication  of  this  equivalence  implies  the  theorem  for  the  case  when  is 
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defined.  By  the  forward  implication,  if  Z  does  not  contain  a  unique  majdmal  element 
P  for  which  P'  =  h(P),  then  there  does  not  exist  T  such  that  =  T,  which 

implies  that  is  undefined. 

□ 

The  above  theorem  completely  characterizes  the  inverse  of  any  tightest  conservative  ap¬ 
proximation  induced  by  a  homomorphism  h.  The  final,  theorem  of  this  section  specializes  this 
result  to  trace  structures  algebras  that  are  closed  under  finite  and  infinite  unions,  a  property 
enjoyed  by  many  of  the  trace  structure  algebras  we  consider.  This  specialization  results  in 
a  simpler  characterization  of  when  is  defined.  In  particular,  is  defined  iff  there 

exists  a  T  €  T  such  that  '^u(T)  =  T^  This  is  a  strong  result.  Clearly  the  existence  of  such 
a  T  is  a  necessary  condition  for  the  inverse  of  any  conservative  approximation  to  be  defined 
on  T';  when  T  is  closed  under  finite  and  infinite  unions,  and  is  the  tightest  conservative 
approximation  induced  by  a  homomorphism,  it  is  also  a  sufficient  condition. 

Definition  4.62.  Let  Ac  =  (Cc,T)  be  a  trace  structure  algebra.  We  say  Ac  is  closed  under 
finite  (infinite)  unions  iff  for  every  signature  7  the  set 

{PCBc(A)■.{^,P]€T} 

is  closed  under  finite  (infinite)  unions. 

Theorem  4.63.  Let  hhe  a,  trace  algebra  homomorphism  from  Cc  to  C'q,  and  let  '5'  =  ('5';, 

be  the  tightest  conservative  approximation  induced  by  h  from  Ac  =  {Cc,T)  to  A'c  = 
{Cq,T').  Assume  Ac  is  closed  under  finite  and  infinite  unions.  If  T'  €  T'  is  such  that 
$u(T)  =  T'  for  some  T  E  T,  then 

=  U{^  ^  ^c{A')  :  (7',X)  €  T  A  h{X)  C  P'}- 
otherwise,  '5',nii(T'')  is  undefined. 

Proof.  By  theorem  4.61,  '5',„,(r')  is  defined  iff  the  set 


Z  =  {xc  Bc{A')  ;  (7',X)  €  T  A  h{X)  C  P'}, 
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contains  a  unique  maximal  element  P  for  which  P'  =  h{P).  Since  Ac  is  dosed  under 
finite  and  infinite  unions,  Z  contains  \JZ,  so  this  condition  is  equivalent  to  simply  re¬ 
quiring  that  Z  contain  some  element  P  for  which  P'  =  h{P).  By  the  definition  of 
this  is  equivalent  to  there  exists  T  e  T  such  that  ^„(T)  =  T.  Also,  when  is 

defined,  it  is  clearly  equal  to  UZ. 

□ 


Chapter  5 
Delay  Models 


Trace  algebras  and  trace  structure  algebras  are  very  general  mathematical  tools  for  construct¬ 
ing  domains  of  agents  models.  Conservative  approximations  provide  a  general  method  for 
proving  relationships  between  different  domains  of  process  models.  However,  developing  do¬ 
mains  of  agent  models  only  part  of  the  task  of  modeling  and  specifying  real-time  systems: 
it  is  also  necessary  to  choose  specific  agents  models  to  represent  specifications  and  system 
components. 

Finding  a  correct  formal  specification  is  known  to  often  be  quite  difficult.  However,  the 
problem  of  finding  good  component  models  has  received  relatively  little  attention.  For  speed- 
dependent  asynchronous  circuits,  finding  good  component  models  (often  called  gate  models, 
in  this  case)  is  surprisingly  subtle. 

In  this  chapter,  we  consider  several  different  delay  models  for  verifying  speed-dependent 
asynchronous  circuits.  From  each  delay  model  we  produce  a  gate  model  by  feeding  the  output 
of  an  ideal  (delay-free)  gate  into  a  delay  element  of  the  appropriate  type.  The  delay  models 
are  used  in  the  verification  two  asynchronous  FIFO  queue  circuits:  the  first  was  designed  by 
Seitz  [92]  and  the  second  was  synthesized  using  the  method  of  Lavagno  et  al.  [61]. 

The  automatic  verifier  that  we  use  is  our  extension  of  Dill’s  trace  theory  verifier  [38]  that 
allows  for  the  use  of  trace  structures  over  the  discrete  time  trace  algebra  Cpc^'^  (in  the  verifier, 
trace  structures  actually  consist  of  two  sets  of  traces,  a  success  set  and  a  failure  set,  but  that 
difference  does  not  concern  us  here). 

Together  with  the  conservative  approximations  described  earlier,  the  verifier  can  be  used 
to  prove  correctness  relative  to  the  continuous  time  trace  structure  algebra  .  Although 

this  verifier  was  first  described  in  1989  [16,  17],  it  still  appears  to  be  the  state  of  the  art  in 
automatic  verification  of  speed-dependent  asynchronous  circuits. 
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{y  =  0)A{z  =  /3)  — ^  y  :=  -n/3 

(y  =  /3)  A  {2  =  ->/3)  ^  >  failure 

(y  = /3)  A  {2  = ^  2:=/3 

Figure  5.1:  Delay  insensitive  buffer,  the  meta-variable  /3  ranges  over  {0, 1}. 

5.1  Hazard-Failure  Delay  Model 

We  begin  by  considering  the  trace  structure  modeling  a  speed-independent  buffer  with  input 
y  and  output  2.  The  buffer  is  described  using  a  production  rule  notation  (see  figure  5.1) 
somewhat  reminiscent  of  the  notation  used  by  Martin  [71,  73].  The  firing  of  a  production  rule 
is  an  instantaneous  (atomic)  event.  It  is  possible  for  more  than  one  production  rule  to  fire 
simultaneously;  however,  we  will  only  consider  non-simultaneous  firings  here.  Since  the  buffer 
in  figure  5.1  is  untimed,  we  can  interpret  its  production  rules  as  representing  a  set  of  traces  in 

since  its  input  is  y  and  its  output  is  2,  the  traces  are  elements  of  S^({y,2}).  Recall  that 
^cUVy^})  is  equal  to  (y  -f-  2)*. 

A  trace  is  in  the  set  of  traces  represented  by  a  set  of  production  rules  if  and  only  if  it 
corresponds  to  a  run  of  the  production  rules.  Consider  a  run  of  the  production  rules  in 
figure  5.1.  In  the  initial  state,  with  y  and  2  both  equal  to  0,  only  the  first  rule  is  firable. 
Since  the  first  production  rule  is  labeled  with  y  (the  symbol  above  the  arrow),  the  trace  of 
the  run  begins  with  y.  If  the  second  production  rule  firing  is  a  y  transition,  then  the  trace 
of  the  run  begins  with  yy,  and  the  buffer  goes  into  failure  mode.  Once  in  failure  mode,  any 
trace  is  possible.  Thus,  for  example,  the  buffer  includes  all  of  the  traces  in  yy(y  2)*.  We 
call  this  delay  model  the  speed-independent  hazard-failure  model,  because  any  hazard  puts  the 
buffer  into  failure  mode  (for  our  purposes,  a  hazard  is  two  consecutive  transitions  on  the  input 
of  a  buffer,  without  an  intervening  output  transition).  The  term  failure  is  borrowed  from 
Dill  [38].  DiU  used  two  sets  of  traces  in  each  trace  structure,  a  failure  set  and  a  success  set; 
for  simplicity,  we  just  use  one  set  of  traces. 

If  the  second  production  rule  firing  is  a  2  transition,  then  the  trace  begins  with  yz.  Contin¬ 
uing  in  this  way,  one  can  build  up  the  trace  corresponding  to  a  particular  run  of  the  production 
rules.  The  set  of  traces  represented  by  the  production  rules  is  equal  to  the  set  of  traces  that 
can  be  built  up  in  this  manner. 

We  can  also  interpret  the  production  rules  in  figure  5.1  over  the  continuous  time  trace 
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algebra  Recall  that  each  trace  in  i})  is  a  subset  of  {y,z}  x  where  3?^^  is 

the  set  of  non-negative  real  numbers.  In  the  initial  state,  with  y  and  2  both  equal  to  0,  only 
the  first  rule  is  firable  and  it  can  fire  at  any  time  t'.  Since  the  first  production  rule  is  labeled 
with  y  the  trace  of  the  run  contains  the  event  {y,t').  Assume  the  next  production  rule  firing 
occurs  at  time  t".  If  the  second  production  rule  firing  is  a  y  transition,  then  the  trace  of  the 
run  contains  the  event  (y,t”),  and  the  buffer  goes  into  failure  mode.  Thus,  for  example,  the 
buffer  includes  all  of  the  traces  of  the  form 

{(y,0,(y,n}ua:, 
where  a:  is  a  subset  of 
{y,z}x{te^^ 

If  the  second  production  rule  firing  is  a  2  transition,  then  the  trace  contains  the  event  {z,t”). 
Continuing  in  this  way,  one  can  build  up  the  trace  corresponding  to  a  particular  run  of  the 
production  rules. 

The  next  step  is  to  generalize  the  model  of  the  buffer  to  include  a  lower  bound  Amin 
and  an  upper  bound  Amax  on  its  delay.  We  do  this  by  including  clocks  in  the  production 
rules  to  record  the  passage  of  time  (see  figure  5.2).  The  clock  t  in  figure  5.2  is  treated  as  a 
real  numbered  value  when  used  in  the  precondition  of  a  production  rule.  A  clock  can  either 
be  running  or  stopped.  When  stopped,  its  value  is  zero;  when  running,  its  value  increases 
automatically  and  continuously  with  the  passage  of  time.  All  clocks  are  initially  stopped. 
The  operation  restart(^t)  sets  the  value  of  t  to  zero  and  starts  the  clock  running,  regardless 
of  whether  it  was  already  running.  Thus,  if  a  clock  is  running,  then  its  value  represents  the 
amount  of  time  since  it  was  last  restarted.  The  operation  reset(t)  sets  t  to  zero  and  stops  it. 
A  production  rule  with  disallow  as  its  right  side  has  a  special  meaning:  the  precondition  must 
never  be  allowed  to  be  true.  This  can  lead  to  complicated  backtracking  in  general,  but  here 
disallow  is  only  used  to  enforce  upper  bounds  on  the  response  time  of  a  delay  element. 

Consider  a  run  of  the  production  rules  in  figure  5.2.  In  the  initial  state,  with  y  and  2  both 
equal  to  0  and  t  stopped,  only  the  first  rule  is  firable  and  it  can  fire  at  any  time  t'.  Since  the 
first  production  rule  is  labeled  with  y  the  trace  of  the  run  contains  the  evert  [y,t').  When  the 
rule  fires,  it  restarts  the  clock  t.  Thus,  until  t  is  reset  or  restarted  again,  its  value  reflects  the 
amount  of  time  since  the  y  transition.  Assume  the  next  production  rule  firing  occurs  at  time 
t".  If  Amax  <  t"  —  t',  then  the  precondition  of  rule  4  becomes  true,  but  this  is  specifically 
disallowed.  Thus,  we  know  that  t"  <  +  Amax-  If  the  second  production  rule  firing  is  a  y 
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(y  =  j3)  A  {z  =  /?)  -  ^  >  y  ;=  restart{t) 

(t/  =  /?)  A  (2  =  -'/3)  -  ^  >  failure 

{i  >  ^min)  A  {y  =  /3)  A  {z  =  -'/?)  — ^  >  2  :=  /?;  reset{t) 

(t  >  Amax)  A  {y  =  0)  A  {z  =  ->fi)  - >  disallow 

Figure  5.2:  Binary  hazard-failure  delay,  the  meta-variable  /?  ranges  over  {0, 1}. 

transition,  then  the  trace  of  the  run  contains  the  event  {y,t"),  and  the  delay  element  goes 
into  failure  mode.  If  the  second  production  rule  firing  is  a  2  transition,  then  t"  >t'  A  Amin, 
and  the  trace  contains  the  event  (2,t").  In  this  case,  the  clock  t  is  reset  (set  to  zero  and 
stopped)  because  there  is  no  need  to  keep  track  of  the  passage  of  time  when  the  delay  element 
is  in  a  quiescent  state.  Continuing  in  this  way,  one  can  build  up  the  trace  corresponding  to  a 
particular  run  of  the  production  rules. 

5.2  Approximating  Continuous  Time 

We  can  also  interpret  production  rules  as  representing  trace  structures  over  Cpc^'^.  Recall  that 
for  a  given  alphabet  A,  the  set  traces  Bp^^'^(A)  of  Cp^^'^  over  alphabet  A  is 

e  -h  (.4  U 

Earlier  chapters  have  described  a  class  of  conservative  approximations  from  traces  structures 
over  to  prefix-closed  trace  structures  over  Cp^^'^  (via 

and  C'^Jp'^)-  Let  $  be  the  tightest  of  these  conservative  approximations.  Let  T  be  the  trace 
structure  over  represented  by  the  production  rules  in  figure  5.2  with  Amin  =  2  and 

Amax  =  3.  It  can  be  shown  that  the  trace  structure  T'  =  ^uiT)  is  represented  by  the 
automata  in  figure  5.3. 

The  proof  of  this  result  is  quite  tedious  and  will  not  be  presented  here.  This  tedium  can 
be  avoided  by  showing  the  following  more  general  results.  Although  we  feel  we  have  a  good 
understanding  of  how  to  prove  these  more  general  results,  they  remain  as  future  work.  First, 
define  two  different  formal  semantics  for  the  production  rule  language.  The  first  semantics 
would  be  in  terms  of  trace  structures  over  (continuous  time),  the  second  in  terms  of 

trace  structures  over  Cp(^  (discrete  time).  Second,  prove  that  for  any  set  of  syntactically 
well- formed  set  of  production  rules,  the  semantics  over  Cp^^'^  is  a  conservative  approximation 
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<P 


Start 

z 


Failure 

Figure  5.3:  Automata  that  accepts  the  set  P'  C  of  a  buffer  with  minimum  delay  of  2 

and  maximum  delay  of  3. 

of  the  semantics  over  (this  actually  requires  having  three  different  semantics:  T,  '9i{T) 

and  ^u(T'))  where  T  is  the  trace  structure  giving  the  continuous  time  semantics  and  = 
is  the  appropriate  conservative  approximation).  It  follows  from  these  results  that 
if  an  implementation  of  a  “production  rule  compiler”  satisfies  the  discrete  time  semantics, 
then  it  provides  a  conservative  approximation  of  the  continuous  time  semantics.  In  such  an 
implementation  (and  the  one  used  for  the  verification  examples  in  this  chapter),  finite  automata 
can  be  used  to  represent  trace  structures  over  Cp^^'^. 

Applying  the  conservative  approximation  ^  described  above  is  not  the  only  potential  source 
of  false  negatives  when  using  discrete  time  models.  Let  To  and  Tq  be  continuous  time  and 
discrete  time  models  of  a  hazard-failure  delay  element  with  input  yo,  output  zq,  Xmin  =  1  and 
Xmax  —  1-  We  define  Ti  and  T(  similarly  except  that  they  have  input  yi  and  output  Zj.  In 
the  agent  To  ||  Ti,  if  a  yo  transition  precede  a  yi  transition,  then  the  resulting  zq  transition  is 
guaranteed  to  precede  the  resulting  Zi  transition.  However,  the  following  trace  is  possible  in 
T'  II  Ti: 

yoy\^z\Zo. 

To  see  this,  notice  that 

PJ^oj{{yo,zo}){yoyiipziZo)  =  yofzo 

6 
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P^oj({yi,zi})(yoyi<p2izo)  =  yi(fiZi 

e  P[. 

5.3  Seitz  Queue  Element 

In  this  section  we  analyze  the  self-timed  queue  element  in  figure  5.4.  It  is  based  on  a  circuit 
described  by  Seitz  [92].  Seitz’s  original  circuit  does  not  have  the  two  inverters  between  the  E 
and  G  nodes  shown  in  figure  5.4,  and  it  also  includes  an  initialization  signal.  Seitz’s  circuit 
is  not  speed-independent,  but  was  intended  to  work  under  the  more  liberal  3/2  rule,  which 
states  that  the  total  delay  through  any  3  gates  is  greater  than  the  delay  through  any  2  gates. 
The  control  signals  use  2-phase  handshaking. 

Seitz’s  original  circuit  was  analyzed  by  Browne  and  Mishra  et  al.  [9,  77].  They  were  not 
able  to  model  the  3/2  rule,  so  the  circuit  was  analyzed  under  a  unit  delay  model.  The  unit 
delay  model  is  more  liberal  (less  conservative)  than  the  3/2  rule,  so  any  bug  discovered  under 
the  unit  delay  model  is  also  a  bug  under  the  3/2  rule.  They  discovered  a  bug,  and  proposed 
a  modification  to  the  circuit.  Their  modified  circuit  differed  from  the  one  in  figure  5.4  by  the 
absence  of  the  two  inverters  between  the  E  and  G  nodes  mentioned  above,  and  the  addition  of 
two  more  inverters,  for  a  total  of  five,  between  the  AckOut  and  E  nodes.  This  circuit  satisfied 
their  specifications,  but  even  in  the  unit  delay  model  at  least  one  bug  remained  that  was 
not  caught  by  their  specifications.  To  see  the  bug,  assume  the  circuit  is  in  a  quiescent  state 
with  the  queue  full  {Fulll  is  high  and  FullO  is  low)  and  there  is  a  Reqln  pending.  Assume 
an  AckOut  is  received,  and  that  there  are  no  other  input  changes  until  the  circuit  is  stable. 
The  queue  should  become  momentarily  empty,  and  then  become  full  again  before  the  circuit 
stabilizes.  But  it  is  possible  for  the  A  signal  to  not  remain  high  long  enough  to  properly  set 
the  flip-flop,  so  the  circuit  can  stabilize  with  the  queue  empty.  We  refer  to  this  bug  as  the 
“dropped  bit”  bug. 

Our  analysis  shows  that  the  circuit  in  figure  '  4  is  •  orrect  (up  to  safety  properties)  in  a 
unit  delay  model,  and  is  also  correct  in  some  tin  ng  m<- aels  that  are  more  conservative  than 
the  unit  delay  model.  The  circuit  is  not  correct,  however,  in  a  model  as  conservative  as  the 
3/2  rule. 

Before  giving  the  details  of  our  analysis  of  the  queue  circuit,  we  should  describe  some  of  the 
limitations  of  the  component  model  that  was  used.  We  started  by  modeling  each  gate  with  an 
ideal  (delay-free)  gate  followed  by  hazard-failure  delay  element  as  described  in  figure  5.2.  The 
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same  values  of  Amin  and  Amax  are  used  for  each  gate  in  the  circuit.  Nodes  with  indeterminate 
voltages  are  not  modeled.  So,  it  cannot  be  verified  that  an  initialization  signal  works  correctly, 
the  verification  is  simply  started  with  all  nodes  at  the  proper  initial  voltages  Also,  the  verifier 
cannot  model  transistors  as  switches,  so  the  pass  transistors  in  the  circuit  must  be  modeled  as 
latches.  The  negative  resistors  are  simply  modeled  as  buffers  with  delay.  For  correct  circuit 
operation,  it  is  necessary  that  the  delay  be  at  least  3  gate  delays  for  the  negative  res’stor  in 
the  input  section,  and  at  least  2  gate  delays  for  the  negative  resistor  in  the  output  section. 
These  delays  could  be  reduced  if  assumptions  are  made  about  the  minimum  response  time  of 
the  environment.  We  remove  the  buffers  in  the  data  part  since  we  cannot  model  their  role  in 
the  circuit,  which  is  to  convert  a  dynamic  storage  node  to  a  static  storage  node.  Only  one  bit 
of  the  data  path  was  modeled. 

If  any  gate  of  the  circuit  goes  into  failure  mode,  then  the  resulting  erratic  transitions  of 
the  gate’s  output  will  eventually  propagate  to  the  interface  of  the  circuit,  causing  it  to  not 
satisfy  its  specification.  The  gate  driving  FullO  goes  into  failure  mode,  regardless  of  the  values 
of  Amin  and  Amaxi  in  fhe  following  situation.  The  queue  is  full,  and  a  Reqln  is  pending,  so 
A,  B  and  FullO  are  low  and  Fulll  is  high.  As  a  result  of  an  AckOut  transition,  Fulll  can  go 
low.  At  Amin  time  units  later,  A  can  go  high  before  FullO  goes  high,  causing  a  hazard.  This 
hazard  puts  the  gate  driving  FullO  into  failure  mode.  We  can  use  a  more  liberal  model  of  the 
gate  by  assuming  that  it  would  fire  between  Amin  and  Amax  time  units  after  Fulll  goes  low, 
even  in  the  above  scenario.  Thus,  we  modify  the  trace  structure  modeling  this  gate  so  a  trace 
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in  which  the  gate  is  firable  for  ^min  time  units  is  not  a  failure,  and  the  gate  fires  within  the 
^max  time  unit  maximum  delay,  even  if  there  is  a  hazard.  This  means  that  FullO  can  go  high 
and  then  go  low  2Amin  —  ^max  time  units  later;  thus,  the  buffer  driving  D  is  modeled  so  that 
it  is  not  a  failure  whenever  it  is  firable  for  at  least  2 Amin  ~  ^max  time  units,  even  if  there  is  a 
hazard.  Thus,  the  model  of  the  buffer  '^riving  D  is  shghtly  more  liberal  than  the  model  of  the 
gate  driving  FullO.  The  other  gates  could  also  be  modeled  similarly,  but  it  is  not  necessary  in 
order  to  verify  the  correctness  of  the  circuit. 

We  used  the  verifier  to  determine  for  what  values  of  Amin  and  Amax  is  the  circuit  correct. 
The  circuit  was  originally  claimed  to  be  correct  under  the  3/2  rule,  which  states  that  the  total 
delay  through  any  3  gates  is  greater  than  the  delay  through  any  2  gates.  This  is  not  quite 
the  same  as  saying  the  circuit  is  correct  when  Amax  =  3  and  Amin  =  2,  since  that  would 
allow  the  total  delay  through  any  3  gates  to  be  greater  than  or  equal  to  the  delay  through 
any  2  gates.  Nonetheless,  we  can  show  that  the  circuit  is  incorrect  under  the  3/2  rule;  the 
verifier  finds  a  variant  of  the  “dropped  bit”  bug  {described  above)  in  the  circuit  when  assuming 
that  Amax  =  6  and  Amin  =  5,  which  is  a  more  optimistic  assumption  than  the  3/2  rule.  The 
verifier’ shows  this  bug  by  producing  an  error  trace  that  puts  the  gate  driving  FullO  into  failure 
mode. 

The  circuit  is  correct  as  modeled  when  Amax  —  ”  and  Amin  —  6.  The  automatic  verifier 
checked  this  b}'  examining  8(53  states  in  about  5  minutes  on  a  Sun  3/60. 

In  an  earher  description  of  this  circuit  [17],  we  reported  that  the  circuit  was  correct  for 
■Amaz  —  6  and  Amin  =  5.  That  analysis  was  based  on  a  discrete  time  model  that  differs 
shghtly  from  the  discrete  time  model  used  here  (see  figure  5.3).  The  difference  is  that  the 
b  transition  from  state  1  returns  to  state  0,  rather  than  going  in  to  failure  mode.  Thus,  a 
hazard  shorter  than  one  clock  tick  (in  discrete  time)  is  ignored,  which  gives  a  more  optimistic 
model.  The  Intention  was  that  this  model  would  compensate  for  the  extra  conservativeness  in 
the  discrete  time  model  caused  by  possible  reordering  of  events  between  clock  ticks  (see  the 
end  of  section  5.2).  Now  we  understand  that  this  discrete  time  model  does  not  correspond  to 
any  continuous  time  model,  and  should  be  avoided.  It  does  appear,  however,  that  the  circuit 
works  correctly  whenever 

A  min  ^  5 

^max  6  ’ 

based  on  examining  the  error  trace  produced  when  Amax  =  6  and  Amin  =  5.  Also,  the  verifier 
shows  that  the  circuit  is  correct  for  Amax  =  13  and  Amin  =  11.  For  this  model,  the  verifier 
examined  44,906  states  in  about  28  minutes. 
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{y  =  0)A{z-^^) 

(y  =  /3)  A  (2  -  -^/S)  — 


y  :=  -1/?;  restart{t) 
y  :=  -1/?;  reset{t) 


{t  >  Amin)  A  (y  =  /?)  A  (2  =  -1/?)  ^  > 

(<  >  Amax)  A  (y  =  /?)  A  (2  =  -1/?)  - > 


2  :=  /?;  reset{t) 
disallow 


Figure  5.5:  Binary  inertial  delay,  the  meta-variable  (3  ranges  over  {0,1}. 

5.4  Binary  Inertial  Delay 

The  hazard-failure  model  can  be  overly  conservative  in  many  situations.  A  common  alternative 
is  the  inertial  delay  model  [12,  91,  90].  Our  formal  model  of  a  binary  inertial  delay  element 
with  input  y  and  output  2  is  given  in  figure  5.5,  using  production  rules.  Consider  a  run  of 
the  production  rules  in  figure  5.5  In  the  initial  state,  with  y  and  2  both  equal  to  0  and  t 
stopped,  only  the  first  rule  is  firable  and  it  can  fire  at  any  time  t' .  Since  the  first  production 
rule  is  labeled  with  y  (the  symbol  above  the  arrow),  the  trace  of  the  run  contains  the  event 
(y,t').  When  the  rule  fires,  it  restarts  the  clock  t.  Thus,  until  t  is  reset  or  restarted  again, 
its  value  reflects  the  amount  of  time  since  the  y  transition.  .Assume  the  next  production  rule 
firing  occurs  at  time  t".  If  Amax  <  I"  ~  l' ■,  then  the  precondition  of  rule  4  becomes  true,  but 
this  is  specifically  disallowed.  Thus,  we  know  that  t"  <  t'  -f  Amax-  If  the  second  production 
rule  firing  is  a  y  transition,  then  the  trace  of  the  run  contains  the  event  (y,t").  If  the  second 
production  rule  firing  is  a  2  transition,  then  t"  >  t'  Amin-,  and  the  trace  contains  the  event 
{zjt").  In  both  cases,  the  clock  t  is  reset  (set  to  zero  and  stopped)  because  there  is  no  need  to 
keep  track  of  the  passage  of  time  when  the  delay  element  is  in  a  quiescent  state.  Continuing 
in  this  way,  one  can  build  up  the  trace  corresponding  to  a  particular  run  of  the  production 
rules.  The  set  of  traces  represented  by  the  production  rules  is  equal  to  the  set  of  traces  that 
can  be  built  up  in  this  manner. 

The  distinctive  feature  of  the  production  rule  description  of  inertial  delay  is  rule  2.  It 
specifies  that  if  two  consecutive  y  transitions  occur  without  a  2  transition  in  between,  then 
the  state  of  the  delay  element  is  the  same  as  if  no  transitions  occurred.  Thus,  a  hazard  is 
treated  as  if  nothing  happened.  As  an  extreme  example,  consider  a  signal  that  transitions 
every  t'  time  units,  where  t'  is  slightly  less  then  Amin-  If  this  signal  is  input  to  an  Inertial 
delay  element,  then  the  output  is  constant,  which  is  clearly  overly  optimistic. 
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5.5  Binary  Chaos  Delay 

In  the  binary  chaos  delay  model  a  delay  element  goes  into  a  special  mode,  called  chaos  mode, 
when  there  is  a  hazard  on  its  input.  When  in  chaos  mode,  the  output  of  the  delay  element 
can  transition  unpredictably,  which  conservatively  models  the  unpredictability  of  an  actual 
gate  responding  to  a  hazard.  In  this  sense,  chaos  mode  is  like  failure  mode.  The  difference  is 
that  chaos  delay  allows  the  delay  element  to  leave  chaos  mode  if  its  input  does  not  transition 
for  a  period  of  length  A  max,  in  which  case  the  delay  element  enters  a  quiescent  state  with  its 
output  equal  to  its  input. 

A  circuit  can  work  properly  even  if  one  of  its  gates  enters  chaos  mode,  as  long  as  the 
random  outputs  of  the  gate  are  not  allowed  to  propagate  to  the  Interface  of  the  circuit.  If 
the  hazard-failure  delay  model  were  used  when  verifying  such  a  circuit,  a  false  negative  would 
result.  There  are  examples  of  this  happening  in  practice.  The  synthesis  techniques  of  Lavagno 
et  al.  [61]  can  produce  circuits  that  are  correct  under  the  chaos  delay  model  but  incorrect 
under  the  hazard-failure  delay  model  [60]. 

The  term  “chaos”  is  borrowed  from  Josephs  and  Udding  [53],  who  used  a  chaos  process  to 
represent  the  response  of  a  delay-insensitive  process  to  a  hazard.  In  their  model,  however,  it 
is  impossible  for  a  component  to  ever  leave  chaos  mode. 

The  production  rules  for  the  chaos  delay  model  have  an  extra  boolean  state  variable  c 
which  is  equal  to  1  if  and  only  if  the  delay  element  is  in  chaos  mode  (see  figure  5.6).  Rule  2  is 
the  major  difference  between  inertial  delay  and  chaos  delay;  it  requires  that  the  delay  element 
go  into  chaos  mode  in  response  to  a  hazard.  The  clock  t  is  restarted  in  order  to  record  the 
amount  time  that  must  pass  before  the  delay  element  can  exit  chaos  mode.  In  rule  3,  the  clock 
is  restarted  again  if  another  input  tra.nsition  occurs. 

Rules  4  and  5  control  the  minimum  and  maximum  response  time  of  the  dela}"  element 
when  there  are  no  hazards  (i.e.,  not  in  chaos  mode).  Rule  6  allows  the  output  to  transition 
unpredictably  in  chaos  mode.  In  rule  7,  chaos  mode  can  be  exited  if  sufficient  time  has  passed 
and  the  values  of  the  input  and  output  are  equal.  Rule  8  requires  that  chaos  mode  must  be 
exited  after  sufficient  time.  This  forces  the  output  to  become  equal  to  the  input  before  more 
than  Amax  time  has  passed. 
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(y  =  /3)  A  {z=0)  A(c  =  0) 
{y  =  0)  A{z  =  -./?)  A  (c  =  0) 

{y  =  0)A  (c=l) 

{t  >  Amin)  A{y  =  0)  A{z  =  -^0)  A  (c  =  0) 

{t  >  Amax)  A  {y  =  0)  a  {z  =  -^0)  A  (c  =  0) 

{z  =  0)  A  (c=  1) 
{t  =  Amax)  A  (y  =  0)  A  {z  =  0)  A  (c  =  1) 

{t  >  Amax)  A  (c  =  1) 


Figure  5.6;  Binary  chaos  delay.  The  meta-variable  0  ranges  over  {0,1}. 


Figure  5.7:  STG  specification  for  a  FIFO  controller. 

5.6  FIFO  Controller 

We  compared  the  binary  inertial  delay  and  binary  chaos  delay  models  by  verifying  a  speed- 
dependent  FIFO  controller  circuit.  The  specification  for  the  FIFO  controller,  which  is  due  to 
Chu  [30],  is  given  as  a  Signal  Transition  Graph  (STG)  in  figure  5.7.  The  automatic  verifier 
that  was  used  is  based  on  an  extension  of  Dill’s  trace  theory  that  allows  for  the  modeling 
of  real-time  properties  [17].  It  uses  a  discrete  time  model  that  is  a  provably  conservative 
approximation  of  a  continuous  time  model.  As  a  result,  if  a  circuit  is  verified  correct  under 
this  discrete  time  model,  then  it  is  guaranteed  to  be  correct  under  the  continuous  time  model. 

In  figure  5.8,  the  circuit  that  was  checked  is  described  using  a  LISP-like  language  that 
can  be  read  by  the  automatic  verifier.  For  each  gate,  the  first  argument  is  the  input(s),  the 
second  argument  is  the  output,  and  the  third  argument  gives  the  minimum  and  maximum 


=  -1/3;  restart(t) 

=  ->0\  c  :=  1;  restart{t) 
=  ~'0\  restart{t) 


z  :=  0\  reset(t) 
disallow 


z  :=  -i/3 

c  :=  0;  reset[t) 

disallow 


120 


CHAPTERS.  DELAY  MODELS 


;  Initially  Ri=0,  Ao=0,  D=0,  Ro=0,  Ai=0, 

;  L=0,  Wl=l,  W2=l,  W3=l,  W4=0,  W5=l, 

;  W6=l,  W7=l,  W8=l,  W9=l 

(compose 

(buffer  D  Ro) 

(inverter  L  W1  (4  7)) 

(orgate  (-W1  -D)  W2  (8  12)) 

(inverter  D  W3  (4  7)) 

(orgate  (-W3  -Wl)  W4  (8  12)) 

(orgate  (-Ai  -W4)  W5  (8  12)) 

(orgate  (-W2  -W5)  Ai  (8  12)) 

(inverter  Ao  W6  (46)) 

(orgate  (-W3  -W6  -Ri)  W7  (14  21)) 

(inverter  Ri  W8  (4  6)) 

(orgate  (-D  -W8  -Ao)  W9  (14  21)) 

(orgate  (-W7  -W9)  L  (8  12))) 

Figure  5.8;  Implementation  of  FIFO  controller. 

delays  of  the  gate.  If  there  is  no  third  argument,  then  the  gate  has  unbounded  delay  (i.e.,  is  a 
speed-independent  gate).  Negated  inputs  are  denoted  by  a  minus  sign.  The  circuit  is  based  on 
a  design  synthesized  using  the  method  of  Lavagno  et  ai  [61].  It  was  intentionally  synthesized 
to  have  an  error,  in  order  to  test  the  gate  models  used  with  the  verifier  [60]. 

We  checked  the  circuit  under  the  inertial  delay  model  and  the  chaos  delay  model.  In  both 
cases,  gates  are  modeled  as  an  ideal  (delay  free)  gate  whose  output  feeds  a  delay  element  of  the 
appropriate  type.  Under  the  inertial  delay  model  the  circuit  is  correct.  The  verifier  checked 
this  by  examining  6,450  states  in  less  than  190  seconds  of  CPU  time  on  a  Sun  3/60. 

Under  the  chaos  delay  model  the  circuit  does  not  satisfy  the  specification.  The  counter¬ 
example  trace  returned  by  the  verifier  is 

Ri-l-  (f*  W8-  W7-  (|ff®  L-(-  D-(-  ip* 

Wl-  W2-  W2+  Ai+, 

which  represents  a  possible  behavior  of  the  circuit  that  is  not  consistent  with  the  specification. 
The  symbol  ip  in  this  trace  gives  information  about  the  times  at  which  transitions  occur. 
Assume  the  trace  begins  at  time  0,  and  let  T  be  the  basic  unit  of  time.  If  a  transition  occurs 
between  the  nth  and  (n-|-  l)th  ip  in  the  trace,  then  the  transition  occurs  between  times  nT  and 
(n  +  1)T.  Superscripts  are  used  to  indicate  multiple  occurrences  of  ip.  Thus,  the  transition 
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of  W8  in  the  trace  occurs  between  times  4T  and  5T.  The  key  event  in  the  trace  is  the  final 
transition  of  Wl,  which  causes  a  hazard  on  the  gate  driving  W2.  This  hazard  is  ignored  in  the 
inertial  delay  model,  but  in  the  chaos  delay  model  it  puts  the  gate  into  chaos  mode,  resulting 
in  two  consecutive  transitions  of  W2.  This  puts  the  gate  driving  Ai  into  chaos  mode,  causing 
an  Ai  transition  earlier  than  is  allowed  by  the  specification.  This  is  an  illustration  of  how  the 
inertial  delay  model  can  lead  to  false  positive  verification  results. 


5.7  A  Less  Conservative  Model 

Although  the  chaos  delay  model  is  not  as  conservative  as  failing  on  all  hazards,  it  may  still  be 
overly  conservative.  This  is  illustrated  in  the  counter-example  trace  (5.1).  The  length  of  the 
hazard  in  the  trace  is  4  time  units  (the  time  between  the  D-|-  and  Wl—  transitions),  which  is 
half  the  minimum  delay  of  the  relevant  gate.  Depending  on  how  the  gate  is  implemented,  a 
pulse  this  short  might  be  reUably  filtered  out.  Also,  once  the  hazard  occurs,  the  output  of  the 
gate  (W2)  immediately  becomes  unpredictable.  In  practice,  the  output  would  remain  stable 
until  Amin  time  units  after  the  first  transition  in  the  hazard  (D-t-,  in  this  case). 

Both  of  these  issues  are  addressed  in  the  model  described  in  figure  5.9.  An  additional 
parameter,  Ahazi  is  used  to  control  the  length  of  the  longest  hazard  that  is  ignored  by  the 
delay  element.  If  a  hazard  is  shorter  than  Akazi  then  that  hazard  is  ignored,  just  as  in  the 
inertial  delay  model.  If  a  hazard  is  longer  than  Akazi  then  the  delay  element  goes  into  chaos 
mode.  Thus,  this  model  unifies  inertial  delay  and  chaos  delay:  if  Ahaz  =  0,  then  it  goes  into 
chaos  mode  in  response  to  any  hazard;  if  Ahaz  >  Amax-,  then  it  is  identical  to  the  inertial 
delay  model. 

The  production  rules  in  figure  5.9  use  two  clocks,  and  t^.  The  clock  records  the  delay 
until  the  output  z  transitions.  The  clock  tc  records  the  time  that  must  pass  before  the  delay 
element  can  exit  chaos  mode;  thus,  it  only  runs  in  chaos  mode.  Both  of  these  functions  could 
be  combined  into  one  clock  t  in  our  previous  chaos  delay  model  (figure  5.6). 

The  first  production  rule  in  figure  5.9  is  the  same  as  the  first  rule  of  the  original  chaos 
model,  except  that  tz  is  used  instead  of  t.  Rule  2  of  the  original  model  is  split  into  rule  2 
(which  acts  like  the  inertial  model  for  short  hazards)  and  rule  3  (which  goes  into  chaos  mode 
for  long  hazards).  Anytime  rule  3  fires,  tz  is  already  running  (because  of  a  previous  firing  of 
rule  1)  and  its  value  is  not  affected.  The  final  six  rules  in  figure  5.9  correspond  to  the  final  six 
rules  of  the  original  model.  The  only  changes  art  that  references  to  t  are  replaced  by  references 
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(y  =/?)  A  (2  =  /?)  A  (c  =  0) 

y 

- > 

y  :=  -i/3;  restart{tc) 

[tz  <  Ahaz)  A  (y  =  /?)  A  (2  =  ->/?)  A  (c  =  0) 

y 

- > 

y  :=  -i/?;  reset{tc) 

(^2  >  Ahaz)  A  (y  =  /3)  A  (2  =  -<0)  A  (c  =  0) 

y  ^ 

y  :=  “1/3;  c  :=  1;  restart{tc) 

rH 

II 

o 

< 

II 

y 

- ► 

y  :=  -i/3;  restart{tc) 

(^2  >  Amin)  A  (y  =  /?)  A  (2  =  -i/3)  A  (c  =  0) 

{tz  >  Amax)  A  (y  =  /3)  A  (2  =  -i/3)  A  (c  =  0) 

2 

2  :=  /3;  reset{tz) 
disallow 

(^2  ^  Amin)  A  (2  =  /3)  A  (c  =  1) 

{tc  =  Amax)  {y  =■  ^)  ^  {z  =  (3)  A  (c  =  1) 

{tc  >  Amax)  A  (c  =  1) 

Z 

2  :=  -i/3 

c  :=  0;  resei{tc);  r€set{tc) 
disallow 

Figure  5.9:  Extended  binary  chaos  delay  with  hazard  length  parameter  and  delayed  chaos 
output. 

to  tc  or  tc,  as  appropriate,  and  rule  7  requires  that  >  Amin  before  the  output  can  transition 
in  chaos  mode. 

The  model  can  be  further  generalized  to  include  five  parameters,  instead  of  just  three. 
The  parameter  Amin  could  have  different  values  for  rules  that  fire  in  chaos  mode  than  for 
rules  that  fire  when  not  in  chaos  mode;  similarly  for  Amax-  However,  we  do  not  consider  this 
generalization  further  here. 

We  applied  the  generalized  model  in  figure  5.9  to  the  verification  problem  described  earlier. 
For  each  gate,  we  let  Ahaz  =  [O.TfiAjm'nJ .  The  circuit  still  did  not  satisfy  its  specification  even 
under  this  more  optimistic  gate  model.  The  counter-example  trace  that  the  verifier  produced 
is 

Ri+  W8-  W7-  L+  D+ 

W3-  Wl-  W2-  Ai+. 

Notice  that  the  time  between  the  D-(-  and  the  Wl—  transitions  is  six  time  units  (which  is  Ahaz 
for  the  gate  with  those  inputs)  rather  than  four,  as  in  the  other  trace.  Also,  once  in  chaos 
mode,  W2  does  not  transition  until  8  time  units  after  D  did. 

Determining  that  the  circuit  was  not  correct,  and  finding  the  counter-example  trace,  re¬ 
quired  examining  slightly  fewer  states  than  in  the  inertial  delay  case;  the  verification  time 
was  proportionally  reduced.  This  is  typical  for  automatic  verification  methods  based  on  trace 
theory;  finding  an  error  is  usually  faster  than  verifying  correctness.  Since  the  circuit  is  still  not 
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correct  even  under  such  an  optimistic  gate  model,  it  is  unlikely  that  the  circuit  would  work 
reliably  if  implemented.  We  could  not  be  as  certain  of  this  conclusion  if  we  had  only  used  the 
more  conservative  model  of  figure  5.6. 


5.8  Single  Trajectory  Delay  Models 

The  binary  inertial  delay  can  be  extended  to  use  ternary  logic  values.  This  idea  has  been  used 
to  develop  efficient,  conservative  simulation  algorithms  based  on  inertial  delay  [90]. 

Binary  bounded  delay  models  can  be  difficult  to  analyze  because  of  the  non-determinism 
introduced  by  having  component  delays  possibly  vary.  If  this  non-determinism  is  represented 
using  the  ternary  value  A’^,  then  it  is  possible  to  construct  a  single  trajectory  model  [11].  The 
key  property  of  a  single  trajectory  model  is  that  for  a  given  input  stream,  only  one  sequence 
of  output  transitions  is  possible.  Computationally,  this  can  be  much  more  efficient  then 
representing  non-determinism  with  a  large  number  of  different  binary  transition  sequences. 
However,  single  trajectory  models  can  be  more  conservative  and,  therefore,  lead  to  more  false 
negative  verification  results. 

Seger  [90,  91]  used  this  idea  to  develop  an  efficient  algorithm  for  analyzing  races  in  asyn¬ 
chronous  circuits.  Unlike  the  models  we  describe  in  this  section,  Seger’s  extended  inertial  delay 
model  is  not  a  actually  single  trajectory  model.  However,  only  a  single  trajectory  of  Seger’s 
model  needs  to  be  considered  to  accurately  analyze  circuits;  this  is  the  key  to  the  efficiency 
of  his  analysis  algorithm.  In  our  work,  the  property  that  only  a  single  trajectory  needs  to  be 
considered  is  made  explicit  in  the  models  themselves. 

A  single  trajectory  inertial  delay  model  is  described  using  production  rules  in  figure  5.10. 
In  the  production  rules  for  the  binary  delay  models,  we  labeled  the  arrows  with  the  name 
of  the  signal  that  transitioned.  In  the  non-binary  models  of  this  section,  the  label  must  also 
indicate  what  value  the  signal  transitions  to.  Two  different  clocks,  ts  and  tx,  are  r<'quired 
in  the  ternary  inertial  delay  model.  The  clock  tg  is  used  to  enforce  time  bounds  on  when  z 
must  transition  to  a  binary  value;  tx  enforces  time  bounds  on  when  z  must  transition  to  a 
non-binary  value.  We  assume  0  <  ^min  <  ^max- 

In  the  first  rule,  the  delay  element  is  quiescent  with  binary  values  on  its  input  and  output. 
When  the  input  transitions  to  A^,  the  clock  tx  is  started  to  record  the  delay  before  z  transitions 
to  X;  the  clock  tg  remains  stopped.  In  the  second  rule,  tg  is  initially  running  because  z  is 
being  driven  to  a  binary  value.  Once  y  transitions  to  X,  the  clock  tg  can  be  stopped;  tx, 
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{y=0)A{z  =  0) 

y  :=  A' 

- -4 

restart{tx) 

{y  =  0)  A{z  ^  0) 

y.=  X 

reset{tg) 

{y  =  0)  A{z  =  0) 

y:=^0  ^ 

restart{tx)\  restart{tg) 

{y=X)A{z  =  0) 

V  •■=  ■■'0 

restart{tg) 

{y  ^0)  A{z  =  0) 

y:-0 
- ^ 

reset{tx)\  reset{tg) 

(y  7^  /3)  A  (2  =  A") 

y.=  0 

restart{tg) 

(^A’  =  Xmin)  A  r 

2  :=  A' 

reset{tx) 

{tx  >  Xmin)  A  [z  X) 

- y 

disallow 

{tg  =  Amax)  A  {y  —  0)  A  (z  ^  0) 

z-.=  0 

- y 

reset{tg) 

{tg  >  Amax)  A  (1/  =  /3)  A  (2  7^  /?) 

disallow 

Figure  5.10:  Extended  inertial  delay.  The  meta- variable  0  ranges  over  {0,1}. 

which  can  be  stopped  or  running,  is  unchanged.  When  y  transitions  to  a  binary  value  not 
equal  to  z,  then  tg  is  restarted,  as  in  rules  3,  4  and  6.  The  fifth  rule  expresses  the  key  property 
of  the  inertial  model:  when  y  transitions  to  a  binary  value  equal  to  z,  both  clocks  are  reset 
as  if  no  hazard  occurred.  The  remaining  rules  control  the  transitions  of  the  output  z.  Notice 
that  for  any  sequence  of  input  transitions,  there  is  only  one  possible  sequence  of  production 
rule  firings,  even  if  the  time  of  the  firings  is  considered.  This  is  the  key  property  of  a  single 
trajectory  model. 

It  is  also  possible  to  define  a  single  trajectory  version  of  the  chaos  delay  model.  However, 
since  the  chaos  delay  model  distinguishes  between  multiple  transitions  (a  hazard)  and  a  sin¬ 
gle  transition  that  occurs  at  an  unknown  time  (the  normal  case),  three  logic  values  are  not 
adequate  for  this  purpose.  Two  additional  values  D  and  U  (for  a  total  of  five)  representing 
downward  and  upward  transitions  must  be  added.  The  remainder  of  this  section  gives  a  brief 
description  of  the  model  (see  figure  5.11). 

The  operations  <  and  >  take  a  single  binary  argument  and  are  defined  by 

<0  =  U  >0  =  D 

<1  =  D  >1  =  U. 
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(j,  =  /3)  A(z  =  /3) 

y:=<l3 

restart{tx) 

{y  =  (J)  A(z  =  /3) 

y:=^l3 

restart(tx)]  restart{tB) 

{y  =  ^)  A  (2  =  q) 

j/  :=  <1/3 

2  •-  X 

reset(tx)',  reset(tB) 

where  (q  /?)  A  (a  A") 

<6  ■ 

{y  =  /3)A{z  =  a) 

y  := 

- - - y 

2  :=  A' 

reset(tx)',  restart(tB) 

where  {a  A  {a  ^  A') 

{y  =  >f3)  A  (2  ^  A) 

y  :=/3 

restart(tB) 

{y  #  X)  A  (2  #  A) 

y.=  x 

reset{tx);  reset(tB) 

2  :=  A" 

(j,#/?)  A  (2  =  A) 

y  ■■=  0 
— - ► 

restart{tB) 

(j/  7^  a)  A  (2  =  A”) 

y  :=  a 
- ► 

reset[tB) 

where  (a  7^  0)  A  (a  7^  1) 

=  Amm)  A  (j/  =  a)  A  (2  =  /3) 

2  :=  <3^ 
- ¥ 

reset{tx) 

where  (a  =  -■/?)  V  (a  =  <i/3) 

{tx  >  Amin)  A  (y  =  a)  A  {z  =  13) 

- - y 

disallow 

{ts  =  Amaz)  A  (j/  =  /?)  A- (2  7^  /3) 

z:=  0 
- - ^ 

reset{tB) 

(tfi  >  Amaz)  A  {y  =  f3)  A  {z  0) 

disallow 

Figure  5.11:  Extended  chaos  delay.  The  meta-variables  A  and  range  over  {0, 1,  £>,  17,  A'}  and 
{0, 1},  respectively. 
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As  a  memory  aide,  notice  that  in  the  equation  >0  =  D,  for  example,  the  triangle  points  to 
the  0,  and  D  is  the  value  of  a  signal  that  is  transitioning  to  0.  In  the  equation  <]0  =  U,  the 
triangle  points  away  from  the  0,  and  U  is  the  value  of  a  signal  that  is  transitioning  from  0. 

The  delay  element  described  in  figure  5.11  is  in  chaos  mode  if  and  only  if  its  output  is  ,Y. 
Thus,  there  is  no  need  for  the  state  variable  c  that  was  used  in  the  binary  chaos  delay  model. 

Transitions  from  0  to  t>/3,  where  /3  is  a  binary  value,  are  not  allowed  in  the  model,  since 
they  are  not  physically  meaningful.  Similarly,  >/?  can  only  transition  to  0  and  to  X,  and  A' 
can  only  transition  to  a  binary  value.  The  single  trajectory  chaos  delay  element  enforces  these 
restrictions  on  its  output,  and  assumes  that  its  input  satisfies  these  restrictions. 

In  the  first  rule,  the  delay  element  is  quiescent  with  the  binary  value  0  on  its  input  and 
output.  When  the  input  transitions  to  <0,  the  clock  tx  is  started  to  record  the  delay  before 
z  transitions  to  <0\  the  clock  is  remains  stopped.  If  y  transitions  from  0  directly  to  -^0,  as 
in  rule  2,  then  both  clocks  need  to  be  restarted.  Rules  3  and  4  involve  y  transitions  that  put 
the  delay  element  in  chaos  mode.  This  results  in  z  transitioning  to  simultaneouslv  with  the 
y  transition,  which  is  represented  by  having  two  labels  (one  for  each  simultaneous  transition) 
on  the  arrow  of  the  production  rule.  Rules  5  through  8  handle  the  rest  of  the  possible  input 
transitions.  The  remaining  rules  control  the  transitions  of  the  output  i. 

It  can  be  shown  that  for  reachable  states  of  the  delay  element,  if  y  =  /?,  then  z  ^  <0.  Also, 
if  y  =  >/?,  then  z  ^  0  and  z  ^  <0.  Finally,  if  y  =  A',  then  z  =  X . 

5.9  Discussion 

We  verified  two  speed-dependent  asynchronous  circuits,  using  a  variety  of  delay  models.  We 
demonstrated  that  the  binary  inertial  delay  model  can  lead  to  false  positive  results  on  one  of 
those  circuits.  Using  the  binary  chaos  delay  model,  the  verifier  was  able  to  discover  an  error 
in  the  same  circuit. 

We  described  how  the  binary  inertial  and  binary  chaos  delay  models  can  be  extended  to 
single  trajectory  models,  using  3- valued  and  5- valued  logics,  respectively.  It  may  be  possible  to 
combine  the  binary  and  the  extended  models  to  achieve  a  better  balance  between  efficiency  and 
accuracy.  For  example,  a  subcircuit  with  reconvergent  fanout  could  be  analyzed  with  binary 
chaos  delay,  with  the  results  then  abstracted  into  the  single  trajectory  model.  Then  the  single 
trajectory  model  could  be  used  to  efficiently  simulate  or  verify  the  full  circuit  without  having 
the  reconvergent  fanout  cause  an  overly  conservative  result. 
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Any  such  model  could  be  immediately  used  by  our  automatic  verifier;  all  that  is  necessary 
is  to  compile  the  models  into  the  appropriate  finite  automata  representations. 
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Chapter  6 

Future  Research 


In  this  thesis,  we  have  described  general  techniques,  based  on  trace  algebra  and  trace  structure 
algebra,  for  constructing  domains  of  agents  models.  We  introduced  the  idea  of  conservative 
approximations  between  trace  structure  algebras,  and  constructed  conservative  approximations 
from  continuous  time  models  to  discrete  time  models  and  from  explicit  simultaneity  semantics 
to  interleaving  semantics.  We  implemented  an  automatic  verifier  and  demonstrated  it  on 
speed-dependent  asynchronous  circuits  with  several  new  delay  models. 

The  work  described  in  this  thesis  is  very  much  work  in  progress.  The  most  pressing  tasks  are 
to  formalize  continuous  time  and  discrete  time  semantics  for  the  production  rule  notation  used 
in  section  5.2,  and  to  show  that  these  semantics  are  appropriately  related  by  a  conservative 
approximation.  The  discrete  time  semantics  would  be  used  in  the  existing  automatic  verifier. 
If  a  system  is  verified  to  be  correct  under  the  discrete  time  semantics,  then  it  is  guaranteed  to 
also  be  correct  under  the  continuous  time  semantics.  Currently,  it  is  difficult  to  verify  that  the 
discrete  time  semantics  of  a  particular  agent  is  a  conservative  approximation  of  the  desired 
continuous  time  semantics. 

It  is  important  to  understand  how  much  information  is  lost  when  using  a  conservative 
approximation  'I'  =  from  a  continuous  time  model  to  a  discrete  time  model.  One  way 

to  describe  the  information  loss  is  to  characterize  the  set  T  of  continuous  time  trace  structures 
T  for  which  =  ’J'u(T).  This  is  the  same  as  the  image  of  (see  section  4.4  for  a 

description  of  the  inverse  of  a  conservative  approximation).  If  To  is  a  continuous  time  trace 
structure  that  is  used  in  a  verification  problem,  the  chances  of  a  false  negative  verification 
result  are  reduced  if  To  is  a  member  of  T.  We  have  described  in  previous  work  [19]  how  T  can 
be  made  to  include  more  realistic  models  by  using  abstractions  defined  only  on  initially  speed- 
independent  trace  structures.  A  trace  structure  T  =  (7,F)  is  initially  speed-independent 
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if  suf{x,  P)  —  P  for  any  partial  trace  x  that  represents  a  behavior  where  no  actions  occur 
(only  time  passes);  this  is  a  much  weaker  requirement  then  speed-independence.  All  of  the 
agents  that  can  be  expressed  using  the  production  rule  notation  of  chapter  5  are  initially 
speed-independent  since  all  clocks  are  stopped  in  the  initial  state. 

An  area  for  future  research  is  to  integrate  the  idea  of  initially  speed-independent  trace 
structures  with  our  more  recent  work  on  conservative  approximations  of  real-time  models. 
We  conjecture  that  all  of  the  continuous  time  agents  expressible  with  our  production  rules 
can  be  represented  exactly  by  trace  structures  over  (the  model  of  quantized  time  with 
simultaneitj’).  However,  an  implementation  of  the  production  rule  language  using  discrete 
time  clocks  will  not  always  produce  this  exact  representation;  a  more  sophisticated  algorithm 
is  required.  We  will  also  explore  how  these  results  relate  to  Henzinger,  Manna  and  Pnueli's 
notion  of  digitizable  agents  [47]. 

We  would  also  like  to  use  trace  algebra  and  conservative  approximations  to  study  several 
untimed  models  of  concurrency,  such  as  Ma^iurkiewicz  traces,  and  partial  orders.  We  believe 
such  a  study  might  shed  some  light  on  the  relationships  between  these  models  and  interleaving 
semantics.  The  relationship  between  action  based  models  and  state  based  models  is  another 
area  for  future  research. 

We  would  like  to  extend  some  of  our  techniques.  Trace  algebra  homomorphisms  and  conser¬ 
vative  approximations  could  be  allowed  to  change  alphabets.  This  would  significantly  increase 
the  number  of  useful  abstractions  that  could  be  constructed  with  conservative  approxima¬ 
tions.  It  should  also  be  possible  to  extend  trace  structures  to  include  two  sets  of  traces  (like 
the  success  sets  and  failure  sets  of  Dill’s  trace  structures)  and  to  generalize  the  notion  of 
receptiveness  [38]  to  arbitrary  trace  structure  algebras. 


Appendix  A 

Summary  of  Notation 


mm 

Continuous  Time  with  Ordered  rep., 
isomorphic  to  (def.  3.14,  p.  69) 

rCTu 

Continuous  Time  with  Unordered  rep. 

(def.  3.2,  p.  59) 

extends  with  partial  traces  (def.  4.23, 

p.  88) 

ch 

(Untimed)  Interleaving  Semantics 
(def.  2.9,  p.  27) 

rQTi 

Quantized  Time  with  Interleaving 
(def.  4.8,  p.  82) 

(^QTIip 

extends  with  partial  traces 

(def.  4.24,  p.  88) 

^QTItp 

isomorphic  to  Cq  ,  uses  ip  to  denote 
time  (def.  4.10,  p.  83) 

rQTs 

Quantized  Time  with  Simultaneity 
(def.  3.10,  p.  65) 

^QTSl 

isomorphic  to  ,  power  set  algebra 

over  (def.  4.16,  p.  84) 

cr 

Synchronous  Time  (def.  3.6,  p.  60) 

Table  A,l:  Summary  of  Trace  Algebras 
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actv 

all  trace  str’s  over  (def.  3.5,  p.  60) 

extends  A^  with  partial  traces  (def.  4.57,  p.  104) 

aU  trace  str’s  over  (def.  2.31,  p.  40) 

^IR 

extends  Aj^  with  partial  traces  (def.  4.58,  p.  104) 

mixed  regular  trace  str’s  over  (def.  2.32,  p.  41) 

all  trace  str’s  over  (def.  4.12,  p.  83) 

aQTIv 

•^c 

all  trace  str’s  over  (def.  4.12,  p.  83) 

all  trace  str’s  over  (def.  3.13,  p.  68) 

all  trace  str’s  over  (def.  3.8,  p.  61) 

Table  A. 2:  Summary  of  Trace  Structure  Algebras 
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Symbol 

Decorations 

Denotes 

A* 

none 

set  of  all  finite  sequences  over  A 

none 

set  of  all  infinite  sequences  over  A 

Aoc 

none 

A*UA'^ 

It] 

none 

floor  of  t 

XUY 

none 

union  of  sets  A"  and  F 

none 

union  of  the  sets  in  the  set  A" 

2X 

none 

set  of  subsets  of  an  arbitrary  set  X 

none 

X  subset  of  Y 

none 

trace  structure  T  contained  in  T'  (def.  2.21, 
p.  34) 

X  X  1' 

none 

cartesian  product  of  A'  and  Y 

X  ■  y 

none 

concatenation  of  traces  in  trace  algebra 
(def.  4.20,  p.'86) 

none 

empty  set 

A^  B 

none 

set  of  all  partial  functions  with  domain  A  and 

codomain  B 

A^  B 

none 

set  of  all  total  functions  with  domain  A  and 

codomain  B 

^  \a^b 

none 

function  r  restricted  to  domain  A  and 

codomain  B 

E  II  E' 

none 

parallel  composition  of  agents  in  concurrency 
algebra  (def.  2.6,  p.  23) 

T  II  r 

none 

parallel  composition  of  trace  structures  in 
trace  structure  algebra  (def.  2.18,  p.  33) 

1^1 

none 

number  of  elements  in  set  B 

APPENDIX  A.  SUMMARY  OF  NOTATION 


Decorations 


none 


Denotes 


set  of  all  agent  signatures  (def.  2.1,  p.  22) 


primes,  integer  sub’s 


none 


none 


none 


alphabet  sub’s 


none 


agent  signature  (def.  2.1,  p.  22),  default 
agent  signature  of  E  (note  2.4,  p.  23)  and  T 
(note  2.16,  p.  33) 


length  of  longest  ignorable  hazard  (p.  121) 


maximum  delay  (p.  Ill) 


minimum  delay  (p.  Ill) 


empty  trace  (T13,  p.  87),  empty  sequence 


functional  abstraction 


none 


primes 


primes 


passage  of  a  unit  of  time  in  traces  of 
(def.  4.10,  p.  83)  and  (def.  4.24,  p.  88) 


conservative  approximia.; 'on  (def.  2.34,  p.  42) 


inverse  of  (def.  4.60,  p.  105) 


primes 


lower  bound  mapping  of 


primes 


upper  bound  mapping  of  $ 


primes,  integer  sub’s  :  sequence  of  time  stamps  (def.  3.14,  p.  69) 


none 


infinity 


Symbol 

Decorations 

Denotes 

A 

primes,  integer  sub’s 

alphabet  (def.  2.2,  p.  22),  default  alphabet  of 

7  (note  2.3,  p.  22) 

a 

primes,  integer  sub’s 

signal  (def.  2.1,  p.  22) 

A 

primes,  mnem.  sup’s 

trace  structure  algebra  with  partial  traces 
(def.  4.48,  p.  100) 

Ac 

primes,  mnem.  sup’s 

trace  structure  algebra  without  partial  traces 
(def.  2.17,  p.  33) 

Apc 

primes,  mnem.  sup’s 

trace  structure  algebra  of  prefix-closed  trace 
structures  (def.  4.43,  p.  96) 

Al,.  ..,A4 

none 

antecedents  for  thm.  2.35  (p.  43) 

B 

primes,  integer  sub’s 

alphabet  (def.  2.2,  p.  22) 

b 

primes,  integer  sub’s 

signal  (def.  2.1,  p.  22) 

B 

primes,  mnem.  sup’s 

set  of  all  traces  in  a  trace  algebra  with  partial  ! 
traces  (def.  4.20,  p.  86) 

B{A) 

primes,  mnem.  sup’s 

set  of  all  traces  over  alphabet  .4  in  a  trace 
algebra  with  partial  traces  (def.  4.20,  p.  86) 

Be 

primes,  mnem.  sup’s 

set  of  all  complete  traces  in  a  trace  algebra 
(def.  2.7,  p.  26;  def.  4.20,  p.  86) 

Bc{A) 

primes,  mnem.  sup’s 

set  of  all  complete  traces  over  alphabet  A  in  a 
trace  algebra  (def.  2.7,  p.  26;  def.  4.20,  p.  86) 

Bp 

primes,  mnem.  sup’s 

set  of  all  partial  traces  in  a  trace  algebra 
(def.  4.20,  p.  86) 

Bp{A) 

primes,  mnem.  sup’s 

set  of  all  partial  traces  over  alphabet  A  in  a 
trace  algebra  (def.  4.20,  p.  86) 
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Symbol 

Decorations 

Denotes 

C 

primes,  mnem.  sup’s 

trace  algebra  with  partial  traces  (def.  4.20, 

p.  86) 

Cc 

primes,  mnem.  sup’s 

trace  algebra  without  partial  traces  (def.  2  7, 
p.  26;  def.  4.25,  p.  89) 

Cp,  Cpc 

primes,  mnem.  sup’s 

trace  algebra  (def.  4.25,  p,  89)  ! 

^CjP 

primes,  mnem.  sup’s 

trace  algebra  with  traces  represented  by  their 
set  of  prefixes  (def.  4.45,  p.  97) 

C1,...,C9 

none 

axioms  of  concurrency  algebra  (def.  2.6,  p.  23) 

codom{f) 

none 

codomain  of  an  arbitrary  function  / 

V 

primes,  mnem.  sup’s 

dpmain  of  agents  for  a  concurrency  algebra 
(def.  2.6,  p.  23)  I 

dom{f) 

none 

codomain  of  an  arbitrary  function  / 

E 

primes,  integer  sub’s 

agent  in  a  concurrency  algebra  (def.  2.6,  p.  23) 

h 

none 

horromorphism  from  one  trace  algeh-a  to 
another  (def.  2.38,  p.  45) 

I 

primes,  integer  sub’s 

set  of  input  signals  (def.  2.2,  p.  22),  default 
input  signal  set  of  7  (note  2.3,  p.  22) 

id^(a) 

none 

identity  function  over  set  A 

1 

primes,  integer  sub’s 

integer 

none 

subset  of  2q{B)  (thm.  2.30,  p.  40) 

L1,...,L5 

none 

antecedents  for  thm.  2.30  (p.  40)  and 
thm.  4.56  (p.  104) 

len(u) 

none 

length  of  sequence  u 

m 

primes,  integer  sub’s 

integer 

n 

primes,  integer  sub’s 

integer 

M 

none 

integers 

none 

non-negative  integers 

J\f^ 

none 

positive  integers 

0 

primes,  integer  sub’s 

set  of  output  signals  (def.  2.2,  p.  22),  default 
output  signal  set  of  7  (note  2.3,  p.  22) 

P 

primes,  integer  sub’s, 

mnem.  sub’s  /  and  u 

set  of  possible  traces  of  a  trace  structure 
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Denotes 

T1,...,T8 

none 

axioms  of  trace  algebra  without  partial  traces 
(def.  2.7,  p.  26) 

T9,...,T19 

none 

additional  axioms  of  trace  algebra  with  partial 
traces  (def.  4.20,  p.  86) 

pre{{X) 

none 

prefixing  on  traces  in  a  trace  algebra 
(def.  4.26,  p.  89) 

pToj{B){E) 

none 

projection  on  agents  in  a  concurrency  algebra 
(def.  2.6,  p.  23) 

pToj{B){T) 

none 

projection  on  trace  structures  in  a  trace 
structure  algebra  (def.  2.19,  p.  33) 

pioj{B){x) 

none 

projection  on  traces  in  a  trace  algebra 
(def.  4.20,  p.  86) 

r(a) 

primes,  integer  sub’s 

renaming  function  (def.  2.5,  p.  23) 

3? 

none 

real  numbers 

3?^ 

none 

non-negative  real  numbers 

3?+ 

none 

positive  real  numbers 

renaine(r)(E) 

none 

renaming  on  agents  in  a  concurrency  algebra 
(def.  2.6,  p.  23) 

renaine(r)(T) 

none 

renaming  on  trace  structures  in  a  trace 
structure  algebra  (def.  2.20,  p.  34) 

renaine(r)(x) 

none 

renaming  on  traces  in  a  trace  algebra 
(def.  4.20,  p.  86) 

reset(t) 

none 

operation  on  clock  t  (p.  Ill) 

restart(t) 

none 

operation  on  clock  t  (p.  Ill) 

interleave{x) 

none 

set  of  interleavings  of  a  trace  x  (def.  4.15, 
p.  84) 

su{{x,T) 

none 

suffixing  on  trace  structures  in  a  trace 
structure  algebra  (def.  4.48,  p.  100) 

suf(x,X) 

none 

suffixing  on  traces  in  a  trace  algebra 
(def.  4.26,  p.  89) 
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Symbol 

Decorations 

Denotes 

T 

primes,  integer  sub’s 

trace  structure  of  a  trace  algebra  (def.  2.15, 

p.  33) 

t 

primes,  integer  sub’s 

clock  (p.  Ill)  or  time  stamp 

T 

primes,  mnem.  sup’s 

domain  of  trace  structures  of  a  trace  algebra 

(def.  4.48,  p.  100) 

u 

primes,  integer  sub’s 

sequence  of  actions  or  sets  of  actions 

(def.  3.14,  p.  69) 

W 

none 

set  of  all  signals  (def.  2.1,  p.  22) 

w 

primes,  integer  sub’s 

trace 

X 

primes,  integer  sub’s 

set  of  traces 

X 

primes,  integer  sub’s 

trace 

y 

primes,  integer  sub’s 

set  of  traces 

y 

primes,  integer  sub’s 

trace 
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